keycloak bearer-only clients: why do they exist?

Question

I am trying to wrap my head around the concept of bearer-only clients in Keycloak.

I understand the concept of public vs confidential and the concept of ser

Answer 1

In my understanding, it is used when you have some internal service. Let's say you have ServiceA and ServiceB. A user calls ServiceA which in hand calls ServiceB. ServiceB is never called by the user directly, only by other services. ServiceA will get a token using the user's credentials. And then will use this token to call ServiceB. ServiceB will never initiate a login. It will just use the token to verify permissions.

In this case, ServiceA will be confidential and ServiceB will be bearer-only clients.