I am trying to wrap my head around the concept of <code>bearer-only</code> clients in Keycloak. I understand the concept of public vs confidential and the concept of service accounts and the <code>grant_type=client_credentials</code> stuff. But with <code>bearer-only</code>, I'm stuck. Googling only reveals fragments of discussions saying: <blockquote> You cannot obtain a token from keycloak with a <code>bearer-only</code> client. </blockquote> The docs are unclear as well. All they say is: <blockquote> Bearer-only access type means that the application only allows bearer token requests. </blockquote> Ok, if my app only allows bearer token requests, how do I obtain this token if I cannot get it from Keycloak using client id / client secret? And if you can't obtain a token, what can you at all? Why do these clients exist? Can somebody please provide an example of using this type of client?

Bearer-only access type meaning <blockquote> Bearer-only access type means that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins. </blockquote> So if you select your client as <code>bearer-only</code> then in that case keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why keycloak documentation also mentioned <code>bearer-only</code> application will not allow the login from browser. And if you can't obtain a token, what can you at all? Why do these clients exist? <blockquote> Your client can't be set as bearer-only on Keycloak Server. You can still use bearer-only on the adapter configuration though. Keycloak doesn't allow "bearer only" clients (when setting up your client on the server) to obtain tokens from the server. Try to change your client to "confidential" on the server and set bearer-only on your adapter configuration (keycloak.json). </blockquote> So if you understand above statement then if you have two microservice which are talking to each other in the case, caller will be <code>confidential</code> and callee will be <code>bearer-only</code> And Keycloak also mentioned <blockquote> Bearer only client are web service that never initiate a login .It’s typically used for securing the back-end. </blockquote> So if you want to use any adapter you can use <code>bearer-only</code> depend on the need EDIT- Lets go in more details ..Let see one example i have a <code>web-app</code> and one <code>rest-api</code> for web-app i am using <code>React/Angular/JSF</code> any front end technology and for back-end i am using Java based rest-api OR Nodejs. Now for above requirement i have to secure both the product(web-app,rest-api) so what will be my work of action? How i will secure both the app through Keycloak? So here is details explanation <ol> <li>I have to create two client inside a realm in keycloak</li> <li> Client A will be use by web-app</li> <li> Client B will be used by rest-api</li> <li>So now question will be why two client?</li> <li>For web-app we want user should must login via GUI then only generate the token</li> <li>For rest-api we dont want to GUI based api as these api consume by web-app but still rest-api we have to access securely.</li> <li>Now Go to Client A and make its Access Type <code>public</code> client so web-app will ask to login via keycloak GUI or your login page then generate the token</li> <li>So same token which generated in above step used by rest-api and according to user role and other information data will fetch. So Access Type of Client B will be <code>bearer-only</code> so web-app generated token is passed to rest-api and it is then used to authorize the user .</li> </ol> Hope it will help. Someone want to add more he/she free to add.

keycloak bearer-only clients: why do they exist?

I am trying to wrap my head around the concept of bearer-only clients in Keycloak.

I understand the concept of public vs confidential and the concept of service accounts and the grant_type=client_credentials stuff. But with bearer-only, I'm stuck.

Googling only reveals fragments of discussions saying:

You cannot obtain a token from keycloak with a bearer-only client.

The docs are unclear as well. All they say is:

Bearer-only access type means that the application only allows bearer token requests.

Ok, if my app only allows bearer token requests, how do I obtain this token if I cannot get it from Keycloak using client id / client secret?

And if you can't obtain a token, what can you at all? Why do these clients exist? Can somebody please provide an example of using this type of client?

What is a Keycloak client?

Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution.

How does Keycloak OIDC work?

Keycloak authenticates the user then asks the user for consent to grant access to the client requesting it. The client then receives the access token. This access token is digitally signed by the realm. The client can make REST invocations on remote services using this access token.

When would you use a Keycloak?

Keycloak can be used as a standalone user identity and access manager by allowing us to create users database with custom roles and groups. This information can be further used to authenticate users within our application and secure parts of it based on pre-defined roles.

Is Keycloak an authorization server?

In Keycloak, resource servers are provided with a rich platform for enabling fine-grained authorization for their protected resources, where authorization decisions can be made based on different access control mechanisms. Any client application can be configured to support fine-grained permissions.

Bearer-only access type meaning

Bearer-only access type means that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins.

So if you select your client as bearer-only then in that case keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why keycloak documentation also mentioned bearer-only application will not allow the login from browser.

And if you can't obtain a token, what can you at all? Why do these clients exist?

Your client can't be set as bearer-only on Keycloak Server. You can still use bearer-only on the adapter configuration though. Keycloak doesn't allow "bearer only" clients (when setting up your client on the server) to obtain tokens from the server. Try to change your client to "confidential" on the server and set bearer-only on your adapter configuration (keycloak.json).

So if you understand above statement then if you have two microservice which are talking to each other in the case, caller will be confidential and callee will be bearer-only

And Keycloak also mentioned

Bearer only client are web service that never initiate a login .It’s typically used for securing the back-end.

So if you want to use any adapter you can use bearer-only depend on the need

EDIT-

Lets go in more details ..Let see one example i have a web-app and one rest-api for web-app i am using React/Angular/JSF any front end technology and for back-end i am using Java based rest-api OR Nodejs.

Now for above requirement i have to secure both the product(web-app,rest-api) so what will be my work of action? How i will secure both the app through Keycloak?

So here is details explanation

I have to create two client inside a realm in keycloak
Client A will be use by web-app
Client B will be used by rest-api
So now question will be why two client?
For web-app we want user should must login via GUI then only generate the token
For rest-api we dont want to GUI based api as these api consume by web-app but still rest-api we have to access securely.
Now Go to Client A and make its Access Type public client so web-app will ask to login via keycloak GUI or your login page then generate the token
So same token which generated in above step used by rest-api and according to user role and other information data will fetch. So Access Type of Client B will be bearer-only so web-app generated token is passed to rest-api and it is then used to authorize the user .

Hope it will help. Someone want to add more he/she free to add.

Short answer: you can't obtain an access token using a bearer-only client, so authentication flow configuration is irrelevant, but keycloak may still need to know such a bearer only client to manage role / or audience

More details bearer-only clients usefully represents back-end applications, like web service, called by front application and secured by the authorization server (= keycloak)

Backend / Web service application are not called directly by user, so they can't play in the Oauth2.0 user interactive flow. Setting "bearer-only" document this fact to keycloak server, allowing administrator to configure client without otherwise mandatory values (example redirect uri…) and allowing usefull error messages if someone trying to obtain a token for such a client

However, this doesn't mean you cannot configure specific roles for this client: so it need to appear in keycloak realm.

In addition bearer-only client need to verify the received access token, especially, if this (recommenden) adapter feature "verify-token-audience" is activated, bearer-only client need to verify that the access token has been issued for it: the bearer-only client must be in the audience attribute of the access token: see https://www.keycloak.org/docs/latest/server_admin/index.html#_audience

for audience managing by keycloak, bearer-only clients needs to be registered in keycloak realm.

keycloak bearer-only clients: why do they exist?

Tags:

keycloak

kurtgn

People also ask

2 Answers

Subodh Joshi

Thomas LIMIN

Recent Activity

Donate For Us

keycloak bearer-only clients: why do they exist?

Tags:

keycloak

kurtgn

People also ask

2 Answers

Subodh Joshi

Thomas LIMIN

Related questions

Recent Activity

Donate For Us