[keycloak-dev] Allow bearer-only cilents to have service accounts

Stian Thorgersen sthorger at redhat.com
Mon Jan 9 02:44:06 EST 2017

Set fix version on the issue to 3.0.0.CR1. It's not critical now, but we
should do it.

On 6 January 2017 at 16:05, Marek Posolda <mposolda at redhat.com> wrote:

> On 04/01/17 06:46, Stian Thorgersen wrote:
>> Currently a bearer-only client can't have a service account and that seems
>> like a mistake. Further this prevents bearer-only clients to use the
>> authorization services.
>> Is there any good reasons why bearer-only clients can't have service
>> accounts and be able to obtain token using the client credential grant?
> I assumed that bearer-only client shouldn't be able to have any tokens and
> clientSessions, which are dedicated directly to him. It is just REST
> service, which "consumes" the access tokens created for other clients. Also
> the flag name "Bearer-only" states exactly this. That's the main reason why
> I did it that way for service accounts.
> I can't see any big issue with bearer-only client being able to have
> service account. There are just few things, which will need to be done
> though (eg. tabs "Mappers" and "Scopes" will need to be enabled for
> bearer-only clients with enabled service account etc).
> Marek
>> The only thing a bearer-only client should be prevented to do IMO is
>> authenticate users (authorization code flow and resource owner credential
>> grant).
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list