[keycloak-user] keycloak.json configuration - link between resource attribute and Keycloak client

Marc Destefanis marc.destefanis at easytrust.com
Wed Aug 9 06:10:15 EDT 2017


Thank you Sebastien Blanc,

So it’s a normal behavior, it answers my question.

But I’m curious, why the « resource » property is required if this one is used only if the « use-resource-role-mappings » is setted to true ?

This is the fact that the « resource » property is required that let me thought I had an issue.

Regards,
Marc Destefanis.

De : Sebastien Blanc [mailto:sblanc at redhat.com]
Envoyé : mercredi 9 août 2017 10:43
À : Marc Destefanis <marc.destefanis at easytrust.com>
Cc : keycloak-user at lists.jboss.org; Sonia Belhadj <sonia.belhadj at easytrust.com>
Objet : Re: [keycloak-user] keycloak.json configuration - link between resource attribute and Keycloak client

It's because of the "bearer-only" nature of your client. Only the token is verified.  In some cases it could use the 'resource' property if for instance "use-resource-role-mappings" is used (https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java#L99-L103)

On Wed, Aug 9, 2017 at 9:57 AM, Marc Destefanis <marc.destefanis at easytrust.com<mailto:marc.destefanis at easytrust.com>> wrote:
Hi,

I don't understand how the < resource > attribute from the keycloak.json is bound to a client. I explain the case I face :

In my WAR I have a keycloak.json which contains the value < WS > on the < resource > attribute.
I've previously created a < GUI > client that allows me to generate a token and a < WS > client with a bearer-only access type that I use to secure my WARs.

Everything works fine, my WARs are secured and I'm able to request the web services with the token generated with the GUI client.

BUT,
If I change the < resource > attribute value with a client name which doesn't exist it still works.
I can set the < resource > attribute to < anyThing > or < oneTwoThree > etc and it still works even if I didn't create these clients.

I was expecting an error like < the client oneTwoThree doesn't exist > or something else when I request a web service secured in a WAR with a non existing resource value in the keycloak.json file.

Is it a normal behavior ?
Do I misunderstood something or do I have an issue ?

Regards,
Marc Destefanis.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list