Hi, there, Here is the metaphor about we are working on.
Suppose we are a primary school. We'd like to offer a sports club card for our
teachers so they can go to excise in weekend. The workflow is simple, 1) we apply a
card from the club.2) we give the card to the teacher.3) The teacher takes the card to the
club to do whatever.
With keycloak , we think
1)The card is the token2) We, the school, are the oauth client 3) The teacher and the
club go with bearer-only .
Based on the understanding above,
1) By admin restful endpoints, we( the school) create a user account , reset a whatever
password, set the role for the user , and finally acquire this user's access token .
In this step. the user is not involved at all.
2) We transfer this access token to the user .
3) The user now visits the club 's restful endpoints with this token carrying on.
Unfortunately, we can not reach the club's resource . The code is 403 forbidden.
I am not sure whether we get the right idea on bearer-only model or not. Or we missed
something
Any help will be appreciated.
Mai
Show replies by date