I'm trying to implement an authentication system for my spring boot application using keycloak using password grant flow , and it works fine for the most part there's one bit I dont understand.
(I'm gonna reference the sample source from javacodegeeks because I'm learning it through their guide.)
In this guide: https://examples.javacodegeeks.com/keycloak-in-a-spring-boot-application/
It says to setup the following configuration on my application.properties :
# application configuration
server:
port: 9000
# keycloak configuration
keycloak:
# name of the created realm
realm: jcgassignment
# name of the created client
resource: spring-security-demo-app
# indicates that our service has been created as a bearer-only (by default it is false)
bearer-only: true
# url of our Keycloak server
auth-server-url: 'http://localhost:8100/auth'
and if I'm understanding this right, this config specifically links my springboot app with a client created within my keycloak realm. Telling my keycloak adapter to connect to this specific keycloak server, into this specific client, to verify a jwt token.
but for some reason, even if I disable the client (in this case spring-security-demo-app), my springboot app is still able to communicate with the keycloak server and verify a jwt, and thus is still able to return a 200OK response, how is that?
Is my spring boot app not correctly linked with my keycloak realm client? or am I understanding this wrong?
To add to Baptiste's answer: when you disable the client in Keycloak it means that the server will no longer issue new tokens to the client. So the client will be able to neither authenticate new users nor refresh access tokens. Still, JWTs already issued to the client (as Baptiste noted), are valid as long as the certificates haven't changed, and the token hasn't expired.