[keycloak-user] OAuth and achieving authorisation across apps - repost

Simon Gordon dev at sgordon.totalise.co.uk
Fri Mar 18 03:07:27 EDT 2016


Hey all

I feel compelled to ask another basic question of you, thanks in advance!

Looking at the demos, in a basic OAuth2 scenario, the protected resource 
server (let's use the database-server within the demo-templates) is 
configured in keycloak.json as: {
  "realm" : "demo",
  "resource" : "database-service",
  "realm-public-key" : 
  "auth-server-url": "/auth",
  "bearer-only" : true,
  "ssl-required" : "external"

In the web.xml, the database-service is permitting only requests ('/*') to 
those clients that have been granted the 'user' role.

In the design, this service is receiving bearer tokens only - so can I 
assume that the bearer token has the roles associated with the token 
encoded within the bearer token? (Plus the token is signed with the realm 

Or is there a back-channel conversation which I can't see in the 
configuration, maybe derived from 'auth-server-url'?

Thank you for any thoughts!



More information about the keycloak-user mailing list