[keycloak-user] IDToken vs AccessToken
John D. Ament
john.d.ament at gmail.com
Tue Jun 13 05:09:34 EDT 2017
Marek,
So If I had to digest what you're saying, it sounds like I want my backend
to rely on the AccessToken object more than the IDToken object.
Sound right?
John
On Tue, Jun 13, 2017 at 2:22 AM Marek Posolda <mposolda at redhat.com> wrote:
> The secured applications can be divided into 2 main groups:
> - Frontend applications: Those are servlet or javascript UI
> applications, which want to authenticate against Keycloak and they use
> full browser based OIDC flow for it. Once OIDC flow is finished,
> application will receive all 3 tokens: access token, idToken and
> refresh token.
> - Bearer-only (usually REST based) applications: Those are secured by
> the bearer token (access token) sent to them in the "Authorization:
> Bearer" header. Usually some frontend application authenticated
> previously with Keycloak send the access token to the REST based
> application to authenticate particular REST request. Note that bearer
> applications don't set any cookie, they don't have any session, they
> don't redirect to OIDC and they don't use any other tokens beside the
> access token sent to them in the header.
>
> See our docs and demo example for more details. The applications like
> "customer-portal" and "product-portal" are frontend applications when
> the "database-service" is the REST based application.
>
> Marek
>
>
> On 13/06/17 00:50, John D. Ament wrote:
> > Hi
> >
> > I noticed that when using Bearer, an AccessToken gets set in the
> > KeycloakPrincipal's SecurityContext. However, when I do an SP initiated
> > login the IDToken gets set. I was wondering if these two could be
> > consistent, or if the inconsistency were at least explainable?
> >
> > I'm also wondering, will the presence of a bearer header cause the
> keycloak
> > adapter cookie to get set?
> >
> > John
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list