[keycloak-user] Keycloak policy enforcer for bearer-only client

Pedro Igor Silva psilva at redhat.com
Tue Jul 9 09:06:04 EDT 2019 

+1

On Tue, Jul 9, 2019 at 9:58 AM Juan Camilo Vanegas <
juan.vanegas at netuxtecnologia.com> wrote:

> Hi Pedro.
>
> Thanks for your help. So basically, if you need to protect your resources
> on the back-end, you should use a confidential client, but the
> keycloak.json configuration file should have the bearer-only key set to
> true, to you avoid redirecting the user to the login page and instead send
> a 403  Access denied response. Is this correct?
>
> Best regards,
>
> El mar., 9 jul. 2019 a las 7:33, Pedro Igor Silva (<psilva at redhat.com>)
> escribió:
>
>> Hi Juan,
>>
>> It is the expected behavior but also a UI issue. You should not have
>> access to that tab when the client is bearer-only. I've created
>> https://issues.jboss.org/browse/KEYCLOAK-10808.
>>
>> On Fri, Jul 5, 2019 at 4:42 PM Juan Camilo Vanegas <
>> juan.vanegas at netuxtecnologia.com> wrote:
>>
>>> Hi.
>>>
>>> I am developing a Node.js web app that uses Keycloak as authentication
>>> service. I already have two clients: public client for the web app
>>> (app-web) and bearer-only for the API (app-api). On the app-api I use
>>> resources, scopes, policies, and permissions to control the access.
>>>
>>> To check the permissions, I am using the keycloak.enforcer(...) from the
>>> keycloak-connectmodule (npm keycloak-connect
>>> <https://www.npmjs.com/package/keycloak-connect>). When I try to check
>>> permission, the server always returns 403 Access denied response. But if
>>> I
>>> change app-api from bearer-only to confidential (keeping the same
>>> keycloak.json configuration file), the client works fine and is capable
>>> to
>>> check permissions.
>>>
>>> This problem seems to be because a bearer-only client cannot obtain
>>> tokens
>>> from the server (keycloak similar question
>>> <
>>> http://keycloak-user.88327.x6.nabble.com/keycloak-user-can-we-use-authorization-with-bearer-only-td2123.html
>>> >
>>> ).
>>>
>>> My question is: Is this a normal behavior of Keycloak? Why allow the
>>> Authorization tab in bearer-only clients if you cannot use the
>>> keycloak.enforcer? Am I missing some configuration?
>>>
>>> Thanks for your help.
>>>
>>>
>>> Stackoverflow question:
>>>
>>> https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bearer-only-client
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>

More information about the keycloak-user mailing list