[keycloak-user] Authorisation and public clients

Pete Chown pete_keycloak at chown.org.uk
Tue Nov 5 07:05:05 EST 2019 

Hi Pedro,

Thank you for taking the time to reply, and for the information.

On 31/10/2019 15:14, Pedro Igor Silva wrote:
> Authorization services are targeted for resource servers protecting 
> their resources. That is one of the reasons for requiring the client to 
> be confidential. They also need to perform operations that only a 
> confidential client can do given that client authentication is required.

Perhaps I'm misunderstanding how this is supposed to work, but isn't the 
difference between a public and a confidential client quite small?  With 
the public client, the end user obtains a token proving their right to 
access a resource.  With the confidential client, the end user sends a 
code, and the confidential client asks the authentication server whether 
the user is authorised to access the resource.

Is there a particular reason to favour the second option when 
authorisation is required?

What are the "operations that only a confidential client can do"?  Again 
I may be misunderstanding, but I thought the authorisation service just 
modified the issued tokens to reflect the user's access rights.

> However, you are still able to use authorization services in a public 
> client. I mean, obtain tokens with permissions from the token endpoint.

Excellent!  How do I do this?  The authorisation services seem to be 
disabled in the admin GUI when the client is not confidential.

> As per confidential being equivalent to the public, conceptually they 
> are not. But in practice, if you expose or you don't protect your client 
> secrets you will be indeed compromised.

This makes sense but I thought it was worth asking! :)

Thanks again,
Pete

> On Mon, Oct 28, 2019 at 12:46 PM Pete Chown <pete_keycloak at chown.org.uk 
> <mailto:pete_keycloak at chown.org.uk>> wrote:
> 
>     Hello,
> 
>     I have a public client and I can issue tokens for it.  I would like to
>     be able to use Keycloak for access control as well, so for example I
>     might give a user the "admin" role and that would cause additional
>     scopes to be added to their tokens.
> 
>     Unfortunately it looks as though the authorisation aspect of
>     Keycloak is
>     only available to confidential clients.  First of all, is that correct?
> 
>     If my understanding is correct, is there some specific security issue
>     that arises if authorisation is applied to public clients?  I can't
>     think of one, but perhaps I just haven't thought hard enough. :)
> 
>     Suppose I have a confidential client, but I don't take any steps to
>     keep
>     the "secret" secure.  Is it then equivalent to a public client?  In
>     other words could I work around this issue by making my client
>     nominally
>     confidential, but not taking steps to conceal the secret?  (There are
>     actually no steps I could take, because my client is just Javascript
>     running in a web page.)
> 
>     Thank you for any help you can give, and many thanks to the developers
>     for this excellent software.
> 
>     Pete
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list