Remove bearer-only occurences in the documentation when possible. Mak… (#23148)

closes #23066 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-12 09:38:19 +02:00 · 2023-09-12 09:38:19 +02:00 · 56b94148a0
commit 56b94148a0
parent 70402cf286
4 changed files with 10 additions and 8 deletions
--- a/docs/documentation/server_admin/topics/clients/client-policies.adoc
+++ b/docs/documentation/server_admin/topics/clients/client-policies.adoc
@ -69,7 +69,7 @@ Author of a client (Checked by presence to the particular role or group)::
    like the administrator of the {project_name}.

 Client Access Type (confidential, public, bearer-only)::
-    For example when a client sends an authorization request, a policy is adopted if this client is confidential.
+    For example when a client sends an authorization request, a policy is adopted if this client is confidential. Confidential client has enabled client authentication when public client has disabled client authentication. Bearer-only is a deprecated client type.

 Client Scope::
    Evaluates to true if the client has a particular client scope (either as default or as an optional scope used in current request). This can be used for example to ensure that
--- a/docs/documentation/server_admin/topics/clients/oidc/con-audience.adoc
+++ b/docs/documentation/server_admin/topics/clients/oidc/con-audience.adoc
@ -56,12 +56,13 @@ When setting up audience checking:
 [[_audience_resolve]]
 == Automatically add audience

-An _Audience Resolve_ protocol mapper is defined in the default client scope _roles_. The mapper checks for clients that have at least one client role available for the current token. The client ID of each client is then added as an audience, which is useful if your service (usually bearer-only) clients rely on client roles.
+An _Audience Resolve_ protocol mapper is defined in the default client scope _roles_. The mapper checks for clients that have at least one client role available for the current token. The client ID of each client is then added as an audience, which is useful
+if your service clients rely on client roles. Service client could be usually a client without any flows enabled, which may not have any tokens issued directly to itself. It represents an OAuth 2 _Resource Server_.

-For example, for a bearer-only client and a confidential client,
-you can use the access token issued for the confidential client to invoke the bearer-only client REST service. The bearer-only client will be automatically added as an audience to the access token issued for the confidential client if the following are true:
+For example, for a service client and a confidential client,
+you can use the access token issued for the confidential client to invoke the service client REST service. The service client will be automatically added as an audience to the access token issued for the confidential client if the following are true:

-* The bearer-only client has any client roles defined on itself.
+* The service client has any client roles defined on itself.

 * Target user has at least one of those client roles assigned.

--- a/js/apps/admin-ui/public/locales/en/translation.json
+++ b/js/apps/admin-ui/public/locales/en/translation.json
@ -2284,7 +2284,7 @@
  "defaultLocaleHelp": "The initial locale to use. It is used on the login screen and other screens in the Admin UI and Account UI.",
  "conditionsHelp": "Conditions, which will be evaluated to determine if client policy should be applied during particular action or not.",
  "clientProfilesHelp": "Client profiles applied on this policy.",
-  "clientAccessType": "It uses the client's access type (confidential, public, bearer-only) to determine whether the policy is applied. Condition is checked during most of OpenID Connect requests (Authorization requests, token requests, introspection endpoint request, etc.)",
+  "clientAccessType": "It uses the client's access type (confidential, public, bearer-only) to determine whether the policy is applied. Condition is checked during most of OpenID Connect requests (Authorization requests, token requests, introspection endpoint request, etc.). Confidential client has enabled client authentication when public client has disabled client authentication. Bearer-only is a deprecated client type.",
  "clientAccesstypeTooltip": "Access Type of the client, for which the condition will be applied.",
  "clientRolesHelp": "The condition checks whether one of the specified client roles exists on the client to determine whether the policy is applied. This effectively allows client administrator to create client role of specified name on the client to make sure that particular client policy will be applied on requests of this client. Condition is checked during most of OpenID Connect requests (Authorization requests, token requests, introspection endpoint request, etc.)",
  "clientRolesConditionTooltip": "Client roles, which will be checked during this condition evaluation. Condition evaluates to true if client has at least one client role with the name as the client roles specified in the configuration.",
@ -3153,7 +3153,7 @@
  },
  "client-accesstype": {
    "label": "Client Access Type",
-    "tooltip": "Access Type of the client, for which the condition will be applied."
+    "tooltip": "Access Type of the client, for which the condition will be applied. Confidential client has enabled client authentication when public client has disabled client authentication. Bearer-only is a deprecated client type."
  },
  "client-roles": {
    "label": "Client Roles"
--- a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientAccessTypeConditionFactory.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientAccessTypeConditionFactory.java
@ -61,7 +61,8 @@ public class ClientAccessTypeConditionFactory extends AbstractClientPolicyCondit

    @Override
    public String getHelpText() {
-        return "It uses the client's access type (confidential, public, bearer-only) to determine whether the policy is applied. Condition is checked during most of OpenID Connect requests (Authorization request, token requests, introspection endpoint request etc).";
+        return "It uses the client's access type (confidential, public, bearer-only) to determine whether the policy is applied. Condition is checked during most of OpenID Connect requests (Authorization request, token requests, introspection endpoint request etc). "
+                + "Confidential client has enabled client authentication when public client has disabled client authentication. Bearer-only is deprecated client type.";
    }

    @Override