Using the latest EAP 7 S2I builder image and associated eap70-sso-s2i template to build an SSO client application, I specified SSO_BEARER_ONLY=false in the template. When the app was built and deployed, the launch scripts registered the SSO client with bearerOnly=true.

If I changed it to SSO_BEARER_ONLY=foobar I observed the same behavior. Only when I left it blank did it get set to false when registering the client.

Upon investigation I see this bug in the /opt/eap/bin/launch/keycloak.sh script:

if [ -n "$SSO_BEARER_ONLY" ] && [ "$SSO_BEARER_ONLY"="true" ]; then

Notice there is no whitespace surrounding the bash = operator. This should be

if [ -n "$SSO_BEARER_ONLY" ] && [ "$SSO_BEARER_ONLY" == "true" ]; then