[keycloak-user] Bearer only RESTful service accepts request also without a client configured in Keyclo
Laszlo Szabo
sz.laszlo at falcon.io
Wed Oct 25 07:33:57 EDT 2017
I think Bearer only method does not communicate with OIDC server by default
(except Keycloak client lib downloading the auth server certs from a public
endpoint), but decodes the JWT token and validates the signature with the
servers cert and checks expiration. Thats all.
This is why JWT tokens are not the best for session validation in some
strict environments, because a bearer only service invokable with a token
connected to an already invalidated session. With a token lifetime of 5
mins this will cause 5 minutes of "not authorized" invocations in worst
case.
Sometimes this is enough secure but in some situations you want to avoid
this. To bypass this limitation you can use Keycloak userinfo endpoint
explicitly with the token which will check the session status also.
L
László Szabó
Staff backend engineer
+36302939052
Budapest
Falcon.io
Kossuth Lajos utca 7-9, Regus First Site
1053 Budapest
CG no.: 01-09-270982/4
[image: Falcon Social]
<https://www.falcon.io/?utm_source=Employee%20emails&utm_medium=email&utm_content=L%C3%A1szl%C3%B3%20Szab%C3%B3&utm_campaign=Mail%20signature>
Meet Your Customers
On Wed, Oct 25, 2017 at 1:03 PM, Gunter Zeilinger <gunterze at gmail.com>
wrote:
> I have deployed 2 web-applications - one for the UI and one providing
> RESTful Services - in one EAR in Wildfly 10, both secured by using the
> JBoss EAP/Wildfly Adapter, the UI WAR with
> <public-client>true</public-client>, and the RS WAR with
> <bearer-only>true</bearer-only>, both with different values for the
> client-id by <resource>xxxxx</resource>.
>
> The UI application propagates the authentication to the REST Services
> similarly as shown in https://github.com/keycloak/
> keycloak/blob/master/examples/demo-template/customer-app/
> src/main/java/org/keycloak/example/CustomerDatabaseClient.java . (The only
> difference is that the access token is provided by the UI Application to an
> Angular 2 client, which then directly invokes the RESTful services using
> that token).
>
> It works, but I realized, that it also works if there is no client with
> matching id for the RESTful web-application configured in Keycloak. Is that
> intended?
>
> Thanks for any clarification,
>
> Gunter
> J4Care
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list