[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth

Bill Burke bburke at redhat.com
Fri Nov 21 11:55:14 EST 2014

On 11/21/2014 11:35 AM, Juraci Paixão Kröhling wrote:
> Hash: SHA512
> On 11/21/2014 05:09 PM, Bill Burke wrote:
>> I don't think we ever want to separate the token from the user
>> session.
> So, this means that all hosts using an offline refresh token created
> for the user "jdoe1" will have to be replaced if said employee is
> fired? This would be the advantage (and main purpose, IMO) of having
> service accounts.

Why does a "service account" have to be anything special?  Why can't it 
be a regular user?

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list