[keycloak-dev] Keycloak doubts

Marek Posolda mposolda at redhat.com
Wed Oct 14 12:57:12 EDT 2015 

On 14/10/15 18:35, David Ramírez wrote:
>
> Hi guys,
>
> I'm new with Keyloack server, after read the official documentation I 
> have a couple of questions.
>
> Following the Oauth2 flow:
>
>    +--------+                                           +---------------+
>    |        |--(A)------- Authorization Grant --------->|               |
>    |        |                                           |               |
>    |        |<-(B)----------- Access Token -------------|               |
>    |        |               & Refresh Token             |               |
>    |        |                                           |               |
>    |        |                            +----------+   |               |
>    |        |--(C)---- Access Token ---->|          |   |               |
>    |        |                            |          |   |               |
>    |        |<-(D)- Protected Resource --| Resource |   | Authorization |
>    | Client |                            |  Server  |   |     Server    |
>    |        |--(E)---- Access Token ---->|          |   |               |
>    |        |                            |          |   |               |
>    |        |<-(F)- Invalid Token Error -|          |   |               |
>    |        |                            +----------+   |               |
>    |        |                                           |               |
>    |        |--(G)----------- Refresh Token ----------->|               |
>    |        |                                           |               |
>    |        |<-(H)----------- Access Token -------------|               |
>    +--------+           & Optional Refresh Token        +---------------+
>
>   
> are 'Client' and 'Resource Server' Keycloaks' clients?
> For example, I have an Android App and a Service (Java Rest service), should both be registered in Keycloak Server like clients?
Yes. Theoretically it's not needed to register your REST Service as 
Keycloak client, but it's useful for various reasons. For example you 
will be able to propagate admin events from KC admin console to it, like 
push not-before policy.
> The last question is about Refresh token.
> When I'm authenticated for achieving an access token through 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/token', I received a refresh token too.
> If I try to get a protected resource by the refresh token I will get access to it... Why is it possible? I thought that refresh token was only for generate new access token. I'm a bit confussed.
It's bug, which is fixed in latest master and will be in 1.6 release.

Marek
> I will appreciate any help, thanks.
>
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151014/cd06a403/attachment-0001.html

More information about the keycloak-dev mailing list