+1
On Tue, Jul 9, 2019 at 9:58 AM Juan Camilo Vanegas <
juan.vanegas(a)netuxtecnologia.com> wrote:
Hi Pedro.
Thanks for your help. So basically, if you need to protect your resources
on the back-end, you should use a confidential client, but the
keycloak.json configuration file should have the bearer-only key set to
true, to you avoid redirecting the user to the login page and instead send
a 403 Access denied response. Is this correct?
Best regards,
El mar., 9 jul. 2019 a las 7:33, Pedro Igor Silva (<psilva(a)redhat.com>)
escribió:
> Hi Juan,
>
> It is the expected behavior but also a UI issue. You should not have
> access to that tab when the client is bearer-only. I've created
>
https://issues.jboss.org/browse/KEYCLOAK-10808.
>
> On Fri, Jul 5, 2019 at 4:42 PM Juan Camilo Vanegas <
> juan.vanegas(a)netuxtecnologia.com> wrote:
>
>> Hi.
>>
>> I am developing a Node.js web app that uses Keycloak as authentication
>> service. I already have two clients: public client for the web app
>> (app-web) and bearer-only for the API (app-api). On the app-api I use
>> resources, scopes, policies, and permissions to control the access.
>>
>> To check the permissions, I am using the keycloak.enforcer(...) from the
>> keycloak-connectmodule (npm keycloak-connect
>> <
https://www.npmjs.com/package/keycloak-connect>). When I try to check
>> permission, the server always returns 403 Access denied response. But if
>> I
>> change app-api from bearer-only to confidential (keeping the same
>> keycloak.json configuration file), the client works fine and is capable
>> to
>> check permissions.
>>
>> This problem seems to be because a bearer-only client cannot obtain
>> tokens
>> from the server (keycloak similar question
>> <
>>
http://keycloak-user.88327.x6.nabble.com/keycloak-user-can-we-use-authori...
>> >
>> ).
>>
>> My question is: Is this a normal behavior of Keycloak? Why allow the
>> Authorization tab in bearer-only clients if you cannot use the
>> keycloak.enforcer? Am I missing some configuration?
>>
>> Thanks for your help.
>>
>>
>> Stackoverflow question:
>>
>>
https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bea...
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>