Thank you Sebastien Blanc,
So it’s a normal behavior, it answers my question.
But I’m curious, why the « resource » property is required if this one is used only if the
« use-resource-role-mappings » is setted to true ?
This is the fact that the « resource » property is required that let me thought I had an
issue.
Regards,
Marc Destefanis.
De : Sebastien Blanc [mailto:sblanc@redhat.com]
Envoyé : mercredi 9 août 2017 10:43
À : Marc Destefanis <marc.destefanis(a)easytrust.com>
Cc : keycloak-user(a)lists.jboss.org; Sonia Belhadj <sonia.belhadj(a)easytrust.com>
Objet : Re: [keycloak-user] keycloak.json configuration - link between resource attribute
and Keycloak client
It's because of the "bearer-only" nature of your client. Only the token is
verified. In some cases it could use the 'resource' property if for instance
"use-resource-role-mappings" is used
(
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co...)
On Wed, Aug 9, 2017 at 9:57 AM, Marc Destefanis
<marc.destefanis@easytrust.com<mailto:marc.destefanis@easytrust.com>> wrote:
Hi,
I don't understand how the < resource > attribute from the keycloak.json is
bound to a client. I explain the case I face :
In my WAR I have a keycloak.json which contains the value < WS > on the <
resource > attribute.
I've previously created a < GUI > client that allows me to generate a token and
a < WS > client with a bearer-only access type that I use to secure my WARs.
Everything works fine, my WARs are secured and I'm able to request the web services
with the token generated with the GUI client.
BUT,
If I change the < resource > attribute value with a client name which doesn't
exist it still works.
I can set the < resource > attribute to < anyThing > or < oneTwoThree >
etc and it still works even if I didn't create these clients.
I was expecting an error like < the client oneTwoThree doesn't exist > or
something else when I request a web service secured in a WAR with a non existing resource
value in the keycloak.json file.
Is it a normal behavior ?
Do I misunderstood something or do I have an issue ?
Regards,
Marc Destefanis.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user