I think Bearer only method does not communicate with OIDC server by default
(except Keycloak client lib downloading the auth server certs from a public
endpoint), but decodes the JWT token and validates the signature with the
servers cert and checks expiration. Thats all.
This is why JWT tokens are not the best for session validation in some
strict environments, because a bearer only service invokable with a token
connected to an already invalidated session. With a token lifetime of 5
mins this will cause 5 minutes of "not authorized" invocations in worst
case.
Sometimes this is enough secure but in some situations you want to avoid
this. To bypass this limitation you can use Keycloak userinfo endpoint
explicitly with the token which will check the session status also.
L
László Szabó
Staff backend engineer
+36302939052
Budapest
Falcon.io
Kossuth Lajos utca 7-9, Regus First Site
1053 Budapest
CG no.: 01-09-270982/4
[image: Falcon Social]
<
https://www.falcon.io/?utm_source=Employee%20emails&utm_medium=email&...
Meet Your Customers
On Wed, Oct 25, 2017 at 1:03 PM, Gunter Zeilinger <gunterze(a)gmail.com>
wrote:
I have deployed 2 web-applications - one for the UI and one
providing
RESTful Services - in one EAR in Wildfly 10, both secured by using the
JBoss EAP/Wildfly Adapter, the UI WAR with
<public-client>true</public-client>, and the RS WAR with
<bearer-only>true</bearer-only>, both with different values for the
client-id by <resource>xxxxx</resource>.
The UI application propagates the authentication to the REST Services
similarly as shown in
https://github.com/keycloak/
keycloak/blob/master/examples/demo-template/customer-app/
src/main/java/org/keycloak/example/CustomerDatabaseClient.java . (The only
difference is that the access token is provided by the UI Application to an
Angular 2 client, which then directly invokes the RESTful services using
that token).
It works, but I realized, that it also works if there is no client with
matching id for the RESTful web-application configured in Keycloak. Is that
intended?
Thanks for any clarification,
Gunter
J4Care
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user