[keycloak-user] Authorisation and public clients
Pete Chown
pete_keycloak at chown.org.uk
Mon Oct 28 11:39:39 EDT 2019
Hello,
I have a public client and I can issue tokens for it. I would like to
be able to use Keycloak for access control as well, so for example I
might give a user the "admin" role and that would cause additional
scopes to be added to their tokens.
Unfortunately it looks as though the authorisation aspect of Keycloak is
only available to confidential clients. First of all, is that correct?
If my understanding is correct, is there some specific security issue
that arises if authorisation is applied to public clients? I can't
think of one, but perhaps I just haven't thought hard enough. :)
Suppose I have a confidential client, but I don't take any steps to keep
the "secret" secure. Is it then equivalent to a public client? In
other words could I work around this issue by making my client nominally
confidential, but not taking steps to conceal the secret? (There are
actually no steps I could take, because my client is just Javascript
running in a web page.)
Thank you for any help you can give, and many thanks to the developers
for this excellent software.
Pete
More information about the keycloak-user
mailing list