[keycloak-user] Bearer only RESTful service accepts request also without a client configured in Keyclo
Pedro Igor Silva
psilva at redhat.com
Wed Oct 25 07:31:40 EDT 2017
On Wed, Oct 25, 2017 at 9:03 AM, Gunter Zeilinger <gunterze at gmail.com>
wrote:
> I have deployed 2 web-applications - one for the UI and one providing
> RESTful Services - in one EAR in Wildfly 10, both secured by using the
> JBoss EAP/Wildfly Adapter, the UI WAR with
> <public-client>true</public-client>, and the RS WAR with
> <bearer-only>true</bearer-only>, both with different values for the
> client-id by <resource>xxxxx</resource>.
>
> The UI application propagates the authentication to the REST Services
> similarly as shown in https://github.com/keycloak/
> keycloak/blob/master/examples/demo-template/customer-app/
> src/main/java/org/keycloak/example/CustomerDatabaseClient.java . (The only
> difference is that the access token is provided by the UI Application to an
> Angular 2 client, which then directly invokes the RESTful services using
> that token).
>
> It works, but I realized, that it also works if there is no client with
> matching id for the RESTful web-application configured in Keycloak. Is that
> intended?
>
Do you mean the client id from the *aud* claim in the access token ?
>
> Thanks for any clarification,
>
> Gunter
> J4Care
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list