[keycloak-user] IDToken vs AccessToken
Marek Posolda
mposolda at redhat.com
Tue Jun 13 02:22:56 EDT 2017
The secured applications can be divided into 2 main groups:
- Frontend applications: Those are servlet or javascript UI
applications, which want to authenticate against Keycloak and they use
full browser based OIDC flow for it. Once OIDC flow is finished,
application will receive all 3 tokens: access token, idToken and
refresh token.
- Bearer-only (usually REST based) applications: Those are secured by
the bearer token (access token) sent to them in the "Authorization:
Bearer" header. Usually some frontend application authenticated
previously with Keycloak send the access token to the REST based
application to authenticate particular REST request. Note that bearer
applications don't set any cookie, they don't have any session, they
don't redirect to OIDC and they don't use any other tokens beside the
access token sent to them in the header.
See our docs and demo example for more details. The applications like
"customer-portal" and "product-portal" are frontend applications when
the "database-service" is the REST based application.
Marek
On 13/06/17 00:50, John D. Ament wrote:
> Hi
>
> I noticed that when using Bearer, an AccessToken gets set in the
> KeycloakPrincipal's SecurityContext. However, when I do an SP initiated
> login the IDToken gets set. I was wondering if these two could be
> consistent, or if the inconsistency were at least explainable?
>
> I'm also wondering, will the presence of a bearer header cause the keycloak
> adapter cookie to get set?
>
> John
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list