Client policy conditions questions
80 views
Skip to first unread message
zam...@gmail.com
Aug 14, 2025, 3:26:57 PMAug 14
to Keycloak User
Hi
Can someone explain to me the difference between following 2 Client Policy conditions
Can someone explain to me the difference between following 2 Client Policy conditions
- client-access-type
- client-type
I did read the docs, https://www.keycloak.org/docs/latest/server_admin/index.html#_client_policies but this is still not clear (also client-type documentation seems missing)
- Are these conditions checked when client is created/updated or when client makes auth request (or both)?
- Are these conditions evaluated as "ANY" (meaning "or") or as "ALL" (meaning "and")?
- If I wanted to create a policy that enforces OAuth 2.1 compliance, do I need to add both of these conditions along with appropriate policy?
What I am thinking of right now, is that for OIDC clients I need 2 policies to enforce OAuth 2.1
First policy would be for Public OIDC clients:
First policy would be for Public OIDC clients:
- Conditions:
- client-access-type (client access type = "public")
- client-type (client-protocol: "openid-connect")
- Profiles:
- oauth-2-1-for-public-client
Second policy would be for Confidential OIDC clients:
- Conditions:
- client-access-type (client access type = "confidential")
- client-type (client-protocol: "openid-connect")
- Profiles:
- oauth-2-1-for-confidential-client
Are the 2 policies above appropriate use of these conditions?
Regards
Z
Reply all
Reply to author
Forward
0 new messages