[keycloak-user] How to add Authorization (policies) for public clients in keycloak
Pedro Igor Silva
psilva at redhat.com
Thu Nov 22 13:36:11 EST 2018
For public clients, you can use access tokens (as a bearer) to send
authorization requests to the server. Please, take a look here [1].
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
Regards.
Pedro Igor
On Thu, Nov 22, 2018 at 1:05 PM Shubham Akodiya <sakodiya at grepruby.com>
wrote:
> Hi,
>
> I've one public client 'react' which uses the implicit grant for
> authentication. Now I want to secure this app back-end APIs, thus need to
> apply the authorization (policy, resource) settings. Is there any way to
> use the *Authorization* settings for the public client?
>
> As per my understanding, Authorization (policy, resource, scope) settings
> does not apply for *Public (Client Protocol)* client, It only for
> *Credential
> (Client Protocol) *client. Now the problem here is that when a user tries
> to log in using *credential-keycloak-client, *In that case, we need to use
> the *client_secret key* in front-end which would make the application more
> vulnerable.
>
> Let me know If my understanding is incorrect and feel free to share another
> approach to resolve this issue.
>
> Thanks,
> Shubham Akodiya
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list