[keycloak-user] Keycloak policy enforcer for bearer-only client
Pedro Igor Silva
psilva at redhat.com
Tue Jul 9 08:33:29 EDT 2019
Hi Juan,
It is the expected behavior but also a UI issue. You should not have access
to that tab when the client is bearer-only. I've created
https://issues.jboss.org/browse/KEYCLOAK-10808.
On Fri, Jul 5, 2019 at 4:42 PM Juan Camilo Vanegas <
juan.vanegas at netuxtecnologia.com> wrote:
> Hi.
>
> I am developing a Node.js web app that uses Keycloak as authentication
> service. I already have two clients: public client for the web app
> (app-web) and bearer-only for the API (app-api). On the app-api I use
> resources, scopes, policies, and permissions to control the access.
>
> To check the permissions, I am using the keycloak.enforcer(...) from the
> keycloak-connectmodule (npm keycloak-connect
> <https://www.npmjs.com/package/keycloak-connect>). When I try to check
> permission, the server always returns 403 Access denied response. But if I
> change app-api from bearer-only to confidential (keeping the same
> keycloak.json configuration file), the client works fine and is capable to
> check permissions.
>
> This problem seems to be because a bearer-only client cannot obtain tokens
> from the server (keycloak similar question
> <
> http://keycloak-user.88327.x6.nabble.com/keycloak-user-can-we-use-authorization-with-bearer-only-td2123.html
> >
> ).
>
> My question is: Is this a normal behavior of Keycloak? Why allow the
> Authorization tab in bearer-only clients if you cannot use the
> keycloak.enforcer? Am I missing some configuration?
>
> Thanks for your help.
>
>
> Stackoverflow question:
>
> https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bearer-only-client
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list