[keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients?

[Bruce Wings]

Thanks Eric for the reply.

But If I use a separate public client for my angular app, I am not able to
access my Rest Api with the generated token, that's why I had to use
confidential client Json that I used to secure my server. Any idea, what is
the right approach in case of server client architecture?

 ( My project contains Rest Apis that I have secured with jetty adapter and
confidential client ( as keycloak Authorization works only for confidential
client and not public clients). My angular app is accessing these rest api.
Therefore I used the same confidential client oidc Json in my angular app
too. )



On Friday, November 2, 2018, Eric Boyd Ramirez <eric.ramirez.sv at gmail.com>
wrote:

> Hi Bruce,
> I am fairly new to Keycloak myself, so I am giving my opinion in hopes
> some else can double check.
> The JS adapter is designed to work with Public clients, siting on the the
> client side, the idea is that the a user/person would have to enter his/her
> credentials to in order to login.
>
> Confidential clients generate an installation JSON or XML configuration
> object which is meant to be installed on the server side/ Application
> server. The user accessing this application does not receive this
> configuration.
>
> Hope this helps.
>
> > On Nov 2, 2018, at 1:28 AM, Bruce Wings <testoauth55 at gmail.com> wrote:
> >
> > I am referring to Keycloak Javascript adapter as mentioned in :
> > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_
> javascript_adapter
> >
> > I have a confidential client and I have downloaded keycloak-oidc.json
> > containing client secret. Now I am not sure how secure is it to keep this
> > file containing client-secret at the client side.
> >
> > Am I being over concerned?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>