Re: [keycloak-dev] why authenticate clients?

Okay, I think I've figured out why confidential clients are better. Hacker could spoof the login page, obtain client credentials, in the background have a script that performs the login flow. With a public client, the hacker would be able to get the access token as there is no protection. With a confidential client, the hacker would not have the client credentials and would not be able to turn a code into a token. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com