keycloak bearer-only clients: why do they exist?

Question

I am trying to wrap my head around the concept of bearer-only clients in Keycloak.

I understand the concept of public vs confidential and the concept of ser

Answer 1

Short answer: you can't obtain an access token using a bearer-only client, but you can obtain an access token a bearer-only client can accept using another client.

More details bearer-only clients usefully represents back-end applications, like web service, called by front application and secured by the authorization server (= keycloak)

Backend / Web service application are not called directly by user, so they can't play in the Oauth2.0 user interactive flow. Setting "bearer-only" document this fact to keycloak server, allowing administrator to configure client without otherwise mandatory values (example redirect uri…) and allowing usefull error messages if someone trying to obtain a token for such a client

However, this doesn't mean you cannot configure specific roles for this client: so it need to appear in keycloak realm.

In addition bearer-only client need to verify the received access token, especially, if this (recommenden) adapter feature "verify-token-audience" is activated, bearer-only client need to verify that the access token has been issued for it: the bearer-only client must be in the audience attribute of the access token: see https://www.keycloak.org/docs/latest/server_admin/index.html#_audience

for audience managing by keycloak, bearer-only clients needs to be registered in keycloak realm.