Re: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients?
Thanks Eric for the reply.
But If I use a separate public client for my angular app, I am not able to
access my Rest Api with the generated token, that's why I had to use
confidential client Json that I used to secure my server. Any idea, what is
the right approach in case of server client architecture?
( My project contains Rest Apis that I have secured with jetty adapter and
confidential client ( as keycloak Authorization works only for confidential
client and not public clients). My angular app is accessing these rest api.
Therefore I used the same confidential client oidc Json in my angular app
too. )
On Friday, November 2, 2018, Eric Boyd Ramirez <eric.ramirez.sv(a)gmail.com>
wrote:
Hi Bruce,
I am fairly new to Keycloak myself, so I am giving my opinion in hopes
some else can double check.
The JS adapter is designed to work with Public clients, siting on the the
client side, the idea is that the a user/person would have to enter his/her
credentials to in order to login.
Confidential clients generate an installation JSON or XML configuration
object which is meant to be installed on the server side/ Application
server. The user accessing this application does not receive this
configuration.
Hope this helps.
> On Nov 2, 2018, at 1:28 AM, Bruce Wings <testoauth55(a)gmail.com> wrote:
>
> I am referring to Keycloak Javascript adapter as mentioned in :
> https://www.keycloak.org/docs/4.5/securing_apps/index.html#_
javascript_adapter
>
> I have a confidential client and I have downloaded keycloak-oidc.json
> containing client secret. Now I am not sure how secure is it to keep this
> file containing client-secret at the client side.
>
> Am I being over concerned?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user