Keycloak JS adapter and confidential clients

Andrzej Heczko

unread,

Jun 18, 2020, 12:05:58 PM6/18/20

to Keycloak Dev

Hello
I have tried to connect to confidential client from JavaScript application, but it failed. Public clients are working perfectly. I have made an investigation of the problem and found out, that js adapter is not using client_secret.
I have committed updated keycloak.js into my fork at andrzejenne/keycloak and using adapter with confidential client now.
Can someone review changes made, please ? I will make PR if everything is ok.
Thank you

Michal Hajas

unread,

Jun 18, 2020, 12:58:37 PM6/18/20

to Andrzej Heczko, Keycloak Dev

Hello Andrzej,

Not supporting client_secret within keycloak.js is on purpose as JS applications are not capable of keeping client_secret secretly. Look into following links:

https://stackoverflow.com/questions/30607025/oauth-2-for-native-application-what-is-difference-between-public-and-confident

https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

"If the developer is creating a “public” app (a mobile or single-page app), then you should not issue a client_secret to the app at all. This is the only way to ensure the developer won’t accidentally include it in their application. If it doesn’t exist, it can’t be leaked!"

Michal

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/ef5a52f9-669a-447d-8a63-4618eb15dedfo%40googlegroups.com.

Schuster Sebastian (IOC/PDL22)

unread,

Jun 19, 2020, 2:28:36 AM6/19/20

to Andrzej Heczko, Keycloak Dev

Not supporting client_secret here is probably intentional as browser apps cannot keep secrets secret anyways.

Best regards,

Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Project Delivery Berlin 22 (IOC/PDL22)
Bosch.IO GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch.io
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling

--

Schuster Sebastian (IOC/PDL22)

unread,

Jun 19, 2020, 2:30:46 AM6/19/20

to Michal Hajas, Andrzej Heczko, Keycloak Dev

I should probably have read all of yesterdays messages… ;)

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Project Delivery Berlin 22 (IOC/PDL22)
Bosch.IO GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch.io
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CACv4bCQEFkjTAjJGKtVvCQ1o1imzJF2LQu26qhObkFVwtC3OYg%40mail.gmail.com.

Reply all

Reply to author

Forward