[keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients?

Eric Boyd Ramirez eric.ramirez.sv at gmail.com
Sat Nov 3 09:58:32 EDT 2018


Hi Bruce, further to Geoffrey's reply this example should get you started: 
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee

> On Nov 3, 2018, at 2:06 AM, Geoffrey Cleaves <geoff at opticks.io> wrote:
> 
> Bruce, here's how I fixed the issue you're describing. I think it's a unfortunate omission in the docs (which are generally quite good). You need to include the backend client ID in the front end clients aud claim. 
> 
> https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak <https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak>
> On Sat, Nov 3, 2018, 01:45 Bruce Wings <testoauth55 at gmail.com <mailto:testoauth55 at gmail.com> wrote:
> Thanks Eric for the reply.
> 
> But If I use a separate public client for my angular app, I am not able to
> access my Rest Api with the generated token, that's why I had to use
> confidential client Json that I used to secure my server. Any idea, what is
> the right approach in case of server client architecture?
> 
>  ( My project contains Rest Apis that I have secured with jetty adapter and
> confidential client ( as keycloak Authorization works only for confidential
> client and not public clients). My angular app is accessing these rest api.
> Therefore I used the same confidential client oidc Json in my angular app
> too. )
> 
> 
> 
> On Friday, November 2, 2018, Eric Boyd Ramirez <eric.ramirez.sv at gmail.com <mailto:eric.ramirez.sv at gmail.com>>
> wrote:
> 
> > Hi Bruce,
> > I am fairly new to Keycloak myself, so I am giving my opinion in hopes
> > some else can double check.
> > The JS adapter is designed to work with Public clients, siting on the the
> > client side, the idea is that the a user/person would have to enter his/her
> > credentials to in order to login.
> >
> > Confidential clients generate an installation JSON or XML configuration
> > object which is meant to be installed on the server side/ Application
> > server. The user accessing this application does not receive this
> > configuration.
> >
> > Hope this helps.
> >
> > > On Nov 2, 2018, at 1:28 AM, Bruce Wings <testoauth55 at gmail.com <mailto:testoauth55 at gmail.com>> wrote:
> > >
> > > I am referring to Keycloak Javascript adapter as mentioned in :
> > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_ <https://www.keycloak.org/docs/4.5/securing_apps/index.html#_>
> > javascript_adapter
> > >
> > > I have a confidential client and I have downloaded keycloak-oidc.json
> > > containing client secret. Now I am not sure how secure is it to keep this
> > > file containing client-secret at the client side.
> > >
> > > Am I being over concerned?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>



More information about the keycloak-user mailing list