[keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients?

Bruce Wings testoauth55 at gmail.com
Sat Nov 3 12:41:10 EDT 2018


Thanks Geoffrey,

I believe this will solve my problem. However, I tried creating the mapper,
but maybe I missed something cause I am still getting 401 if I login with
front end.

In the attached image, I have shared my config, can you give it a quick
look and confirm this is how it is supposed to be?

Name of my backend client in keycloak JettyApp:

I have created Token claim name as - clientId and value as JettyApp.


[image: image.png]


On Sat, Nov 3, 2018 at 1:36 PM Geoffrey Cleaves <geoff at opticks.io> wrote:

> Bruce, here's how I fixed the issue you're describing. I think it's a
> unfortunate omission in the docs (which are generally quite good). You need
> to include the backend client ID in the front end clients aud claim.
>
> https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak
>
> On Sat, Nov 3, 2018, 01:45 Bruce Wings <testoauth55 at gmail.com wrote:
>
>> Thanks Eric for the reply.
>>
>> But If I use a separate public client for my angular app, I am not able to
>> access my Rest Api with the generated token, that's why I had to use
>> confidential client Json that I used to secure my server. Any idea, what
>> is
>> the right approach in case of server client architecture?
>>
>>  ( My project contains Rest Apis that I have secured with jetty adapter
>> and
>> confidential client ( as keycloak Authorization works only for
>> confidential
>> client and not public clients). My angular app is accessing these rest
>> api.
>> Therefore I used the same confidential client oidc Json in my angular app
>> too. )
>>
>>
>>
>> On Friday, November 2, 2018, Eric Boyd Ramirez <eric.ramirez.sv at gmail.com
>> >
>> wrote:
>>
>> > Hi Bruce,
>> > I am fairly new to Keycloak myself, so I am giving my opinion in hopes
>> > some else can double check.
>> > The JS adapter is designed to work with Public clients, siting on the
>> the
>> > client side, the idea is that the a user/person would have to enter
>> his/her
>> > credentials to in order to login.
>> >
>> > Confidential clients generate an installation JSON or XML configuration
>> > object which is meant to be installed on the server side/ Application
>> > server. The user accessing this application does not receive this
>> > configuration.
>> >
>> > Hope this helps.
>> >
>> > > On Nov 2, 2018, at 1:28 AM, Bruce Wings <testoauth55 at gmail.com>
>> wrote:
>> > >
>> > > I am referring to Keycloak Javascript adapter as mentioned in :
>> > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_
>> > javascript_adapter
>> > >
>> > > I have a confidential client and I have downloaded keycloak-oidc.json
>> > > containing client secret. Now I am not sure how secure is it to keep
>> this
>> > > file containing client-secret at the client side.
>> > >
>> > > Am I being over concerned?
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 57527 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181103/46e15784/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aud.JPG
Type: image/jpeg
Size: 53698 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181103/46e15784/attachment-0001.jpe 


More information about the keycloak-user mailing list