You don't always need to register a client for a REST services, but it
needs to be registered if:
* You invoke token introspection endpoint
* You use authorization services
* You want to retrieve config for the adapter from Keycloak
* You want to assign client level roles to the service
But, if all you want is to verify the token you can skip registering in
On 1 November 2016 at 09:57, Robert . <robert.discussions(a)gmail.com> wrote:
I'm trying to expand my knowledge about Keycloak and OpenID
Is it necessary for a stateless REST webservice to be registered as a
client in Keycloak?
The token send to the REST service is signed, so the REST service could
verify the authenticity and validity of the token if it has the public key
of the keycloak server.
Why would there be any need for direct communication between the REST
service and Keycloak?
keycloak-user mailing list