[keycloak-dev] Allow bearer-only cilents to have service accounts

Marek Posolda mposolda at redhat.com
Fri Jan 6 10:05:25 EST 2017

On 04/01/17 06:46, Stian Thorgersen wrote:
> Currently a bearer-only client can't have a service account and that seems
> like a mistake. Further this prevents bearer-only clients to use the
> authorization services.
> Is there any good reasons why bearer-only clients can't have service
> accounts and be able to obtain token using the client credential grant?
I assumed that bearer-only client shouldn't be able to have any tokens 
and clientSessions, which are dedicated directly to him. It is just REST 
service, which "consumes" the access tokens created for other clients. 
Also the flag name "Bearer-only" states exactly this. That's the main 
reason why I did it that way for service accounts.

I can't see any big issue with bearer-only client being able to have 
service account. There are just few things, which will need to be done 
though (eg. tabs "Mappers" and "Scopes" will need to be enabled for 
bearer-only clients with enabled service account etc).

> The only thing a bearer-only client should be prevented to do IMO is
> authenticate users (authorization code flow and resource owner credential
> grant).
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list