[keycloak-user] Authorisation and public clients
Pedro Igor Silva
psilva at redhat.com
Thu Oct 31 11:14:10 EDT 2019
Authorization services are targeted for resource servers protecting their
resources. That is one of the reasons for requiring the client to be
confidential. They also need to perform operations that only a confidential
client can do given that client authentication is required.
However, you are still able to use authorization services in a public
client. I mean, obtain tokens with permissions from the token endpoint.
As per confidential being equivalent to the public, conceptually they are
not. But in practice, if you expose or you don't protect your client
secrets you will be indeed compromised.
On Mon, Oct 28, 2019 at 12:46 PM Pete Chown <pete_keycloak at chown.org.uk>
wrote:
> Hello,
>
> I have a public client and I can issue tokens for it. I would like to
> be able to use Keycloak for access control as well, so for example I
> might give a user the "admin" role and that would cause additional
> scopes to be added to their tokens.
>
> Unfortunately it looks as though the authorisation aspect of Keycloak is
> only available to confidential clients. First of all, is that correct?
>
> If my understanding is correct, is there some specific security issue
> that arises if authorisation is applied to public clients? I can't
> think of one, but perhaps I just haven't thought hard enough. :)
>
> Suppose I have a confidential client, but I don't take any steps to keep
> the "secret" secure. Is it then equivalent to a public client? In
> other words could I work around this issue by making my client nominally
> confidential, but not taking steps to conceal the secret? (There are
> actually no steps I could take, because my client is just Javascript
> running in a web page.)
>
> Thank you for any help you can give, and many thanks to the developers
> for this excellent software.
>
> Pete
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list