[keycloak-user] Help understanding Bearer-only
Mai Zi
ornot2008 at yahoo.com
Thu Sep 24 06:06:48 EDT 2015
Hi, there, Here is the metaphor about we are working on.
Suppose we are a primary school. We'd like to offer a sports club card for our teachers so they can go to excise in weekend. The workflow is simple, 1) we apply a card from the club.2) we give the card to the teacher.3) The teacher takes the card to the club to do whatever.
With keycloak , we think
1)The card is the token2) We, the school, are the oauth client 3) The teacher and the club go with bearer-only .
Based on the understanding above,
1) By admin restful endpoints, we( the school) create a user account , reset a whatever password, set the role for the user , and finally acquire this user's access token . In this step. the user is not involved at all.
2) We transfer this access token to the user .
3) The user now visits the club 's restful endpoints with this token carrying on.
Unfortunately, we can not reach the club's resource . The code is 403 forbidden.
I am not sure whether we get the right idea on bearer-only model or not. Or we missed something
Any help will be appreciated.
Mai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/2a02c987/attachment.html
More information about the keycloak-user
mailing list