[keycloak-user] keycloak.json configuration - link between resource attribute and Keycloak client
Sebastien Blanc
sblanc at redhat.com
Wed Aug 9 04:43:21 EDT 2017
It's because of the "bearer-only" nature of your client. Only the token is
verified. In some cases it could use the 'resource' property if for
instance "use-resource-role-mappings" is used (
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java#L99-L103)
On Wed, Aug 9, 2017 at 9:57 AM, Marc Destefanis <
marc.destefanis at easytrust.com> wrote:
> Hi,
>
> I don't understand how the < resource > attribute from the keycloak.json
> is bound to a client. I explain the case I face :
>
> In my WAR I have a keycloak.json which contains the value < WS > on the <
> resource > attribute.
> I've previously created a < GUI > client that allows me to generate a
> token and a < WS > client with a bearer-only access type that I use to
> secure my WARs.
>
> Everything works fine, my WARs are secured and I'm able to request the web
> services with the token generated with the GUI client.
>
> BUT,
> If I change the < resource > attribute value with a client name which
> doesn't exist it still works.
> I can set the < resource > attribute to < anyThing > or < oneTwoThree >
> etc and it still works even if I didn't create these clients.
>
> I was expecting an error like < the client oneTwoThree doesn't exist > or
> something else when I request a web service secured in a WAR with a non
> existing resource value in the keycloak.json file.
>
> Is it a normal behavior ?
> Do I misunderstood something or do I have an issue ?
>
> Regards,
> Marc Destefanis.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list