[keycloak-dev] Keycloak doubts

David Ramírez d.rami85 at gmail.com
Wed Oct 14 13:31:03 EDT 2015 

Thanks Marek!

2015-10-14 18:57 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> On 14/10/15 18:35, David Ramírez wrote:
>
> Hi guys,
>
> I'm new with Keyloack server, after read the official documentation I have
> a couple of questions.
>
> Following the Oauth2 flow:
>
>   +--------+                                           +---------------+
>   |        |--(A)------- Authorization Grant --------->|               |
>   |        |                                           |               |
>   |        |<-(B)----------- Access Token -------------|               |
>   |        |               & Refresh Token             |               |
>   |        |                                           |               |
>   |        |                            +----------+   |               |
>   |        |--(C)---- Access Token ---->|          |   |               |
>   |        |                            |          |   |               |
>   |        |<-(D)- Protected Resource --| Resource |   | Authorization |
>   | Client |                            |  Server  |   |     Server    |
>   |        |--(E)---- Access Token ---->|          |   |               |
>   |        |                            |          |   |               |
>   |        |<-(F)- Invalid Token Error -|          |   |               |
>   |        |                            +----------+   |               |
>   |        |                                           |               |
>   |        |--(G)----------- Refresh Token ----------->|               |
>   |        |                                           |               |
>   |        |<-(H)----------- Access Token -------------|               |
>   +--------+           & Optional Refresh Token        +---------------+
>
>
>
> are 'Client' and 'Resource Server' Keycloaks' clients?
>
> For example, I have an Android App and a Service (Java Rest service), should both be registered in Keycloak Server like clients?
>
> Yes. Theoretically it's not needed to register your REST Service as
> Keycloak client, but it's useful for various reasons. For example you will
> be able to propagate admin events from KC admin console to it, like push
> not-before policy.
>
> The last question is about Refresh token.
>
> When I'm authenticated for achieving an access token through 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/token', I received a refresh token too.
>
> If I try to get a protected resource by the refresh token I will get access to it... Why is it possible? I thought that refresh token was only for generate new access token. I'm a bit confussed.
>
> It's bug, which is fixed in latest master and will be in 1.6 release.
>
> Marek
>
> I will appreciate any help, thanks.
>
>
>
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151014/39f49adc/attachment.html

More information about the keycloak-dev mailing list