[keycloak-dev] Allow bearer-only cilents to have service accounts
mposolda at redhat.com
Fri Jan 6 10:05:25 EST 2017
On 04/01/17 06:46, Stian Thorgersen wrote:
> Currently a bearer-only client can't have a service account and that seems
> like a mistake. Further this prevents bearer-only clients to use the
> authorization services.
> Is there any good reasons why bearer-only clients can't have service
> accounts and be able to obtain token using the client credential grant?
I assumed that bearer-only client shouldn't be able to have any tokens
and clientSessions, which are dedicated directly to him. It is just REST
service, which "consumes" the access tokens created for other clients.
Also the flag name "Bearer-only" states exactly this. That's the main
reason why I did it that way for service accounts.
I can't see any big issue with bearer-only client being able to have
service account. There are just few things, which will need to be done
though (eg. tabs "Mappers" and "Scopes" will need to be enabled for
bearer-only clients with enabled service account etc).
> The only thing a bearer-only client should be prevented to do IMO is
> authenticate users (authorization code flow and resource owner credential
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev