[keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients?
Bruce Wings
testoauth55 at gmail.com
Fri Nov 2 12:43:46 EDT 2018
Bruno,
Thanks for the reply. However, my project contains Rest Apis that I have
secured with jetty adapter and confidential client ( as keycloak
Authorization works only for confidential client and not public clients).
My angular app is accessing these rest api. Therefore I used the same
confidential client oidc Json in my angular app too.
Am I approaching the keycloak setup in a wrong way?
On Friday, November 2, 2018, Bruno Oliveira <bruno at abstractj.org> wrote:
> I believe you're missing an important step from the docs. The docs
> state that Javascript clients should be configured as public clients.
> I don't think it's a good idea to store client secret into web apps,
> it's really unsafe.
>
> On Fri, Nov 2, 2018 at 4:28 AM Bruce Wings <testoauth55 at gmail.com> wrote:
> >
> > I am referring to Keycloak Javascript adapter as mentioned in :
> > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_
> javascript_adapter
> >
> > I have a confidential client and I have downloaded keycloak-oidc.json
> > containing client secret. Now I am not sure how secure is it to keep this
> > file containing client-secret at the client side.
> >
> > Am I being over concerned?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> - abstractj
>
More information about the keycloak-user
mailing list