[keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients?

Bruno Oliveira bruno at abstractj.org
Fri Nov 2 11:32:57 EDT 2018


I believe you're missing an important step from the docs. The docs
state that Javascript clients should be configured as public clients.
I don't think it's a good idea to store client secret into web apps,
it's really unsafe.

On Fri, Nov 2, 2018 at 4:28 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
> I am referring to Keycloak Javascript adapter as mentioned in :
> https://www.keycloak.org/docs/4.5/securing_apps/index.html#_javascript_adapter
>
> I have a confidential client and I have downloaded keycloak-oidc.json
> containing client secret. Now I am not sure how secure is it to keep this
> file containing client-secret at the client side.
>
> Am I being over concerned?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj


More information about the keycloak-user mailing list