[keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients?
Geoffrey Cleaves
geoff at opticks.io
Sat Nov 3 04:06:03 EDT 2018
Bruce, here's how I fixed the issue you're describing. I think it's a
unfortunate omission in the docs (which are generally quite good). You need
to include the backend client ID in the front end clients aud claim.
https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak
On Sat, Nov 3, 2018, 01:45 Bruce Wings <testoauth55 at gmail.com wrote:
> Thanks Eric for the reply.
>
> But If I use a separate public client for my angular app, I am not able to
> access my Rest Api with the generated token, that's why I had to use
> confidential client Json that I used to secure my server. Any idea, what is
> the right approach in case of server client architecture?
>
> ( My project contains Rest Apis that I have secured with jetty adapter and
> confidential client ( as keycloak Authorization works only for confidential
> client and not public clients). My angular app is accessing these rest api.
> Therefore I used the same confidential client oidc Json in my angular app
> too. )
>
>
>
> On Friday, November 2, 2018, Eric Boyd Ramirez <eric.ramirez.sv at gmail.com>
> wrote:
>
> > Hi Bruce,
> > I am fairly new to Keycloak myself, so I am giving my opinion in hopes
> > some else can double check.
> > The JS adapter is designed to work with Public clients, siting on the the
> > client side, the idea is that the a user/person would have to enter
> his/her
> > credentials to in order to login.
> >
> > Confidential clients generate an installation JSON or XML configuration
> > object which is meant to be installed on the server side/ Application
> > server. The user accessing this application does not receive this
> > configuration.
> >
> > Hope this helps.
> >
> > > On Nov 2, 2018, at 1:28 AM, Bruce Wings <testoauth55 at gmail.com> wrote:
> > >
> > > I am referring to Keycloak Javascript adapter as mentioned in :
> > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_
> > javascript_adapter
> > >
> > > I have a confidential client and I have downloaded keycloak-oidc.json
> > > containing client secret. Now I am not sure how secure is it to keep
> this
> > > file containing client-secret at the client side.
> > >
> > > Am I being over concerned?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list