[keycloak-user] Bearer only and client credentials

Marcelo Nardelli marcelo.nardelli at gmail.com
Tue Mar 14 16:31:56 EDT 2017


Hello,

According to documentation, the OAuth2 client credentials flow corresponds
to the concept of Service Accounts in Keycloak, right? Also, it seems that
only confidential clients are allowed to participate in this flow, so this
is not an option for bearer-only clients (I also found this issue here
https://issues.jboss.org/browse/KEYCLOAK-4156)

So, if a bearer-only client needs to access another protected resource
regardless of who is calling it, what would be the recommended approach? Do
I always need to make sure that any token generated for the bearer-only
client also has the permissions for the other proteced resource? Or is
there a way to make the bearer-only client get a token on it's own
behalf? Did anyone else had this problem and used some sort of workaround
to get the token for the bearer-only client?

Thanks,

Marcelo Nardelli


More information about the keycloak-user mailing list