I wanted to better understand SSO and OID Connect, so I have built a Traefik and KeyCloak docker solution. The basics are working - I can sign into any app using SSO.
I want to understand how the bearer token works, but am getting confused on what elements are required.
I have an app that requires sign on - https://myapp.mydomain. If I open that in the browser it redirects to https://keycloak.mydomain and asks for my user and password. If correct the app is then allowed to open.
Moving the same url to Postman, If I just send the https://myapp.mydomain the response is the login screen from Keycloak - also expected.
I want to add some credentials to the request using OAUTH 2.0 get new access token
token is generated and I select Use this token.
Press send and the contents of https://myapp.mydomain are now shown.
All seemed well, but I found that if I remove the token from the request, the web request is still working!!! Cookies are created during the authentication for creating the token and I presume these cookies are being used to persist the session.
If I create an access token and delete all cookies, should my request be authenticated via the token alone?