Keycloak public client and authorization

java web-applications authorization keycloak openid-connect
NumeroUno picture NumeroUno · Nov 2, 2018 · Viewed 7.3k times · Source

We are using keycloak-adapter with Jetty for authentication and authorization using Keycloak. As per Keycloak doc for OIDC Auth flow:

Another important aspect of this flow is the concept of a public vs. a confidential client. Confidential clients are required to provide a client secret when they exchange the temporary codes for tokens. Public clients are not required to provide this client secret. Public clients are perfectly fine so long as HTTPS is strictly enforced and you are very strict about what redirect URIs are registered for the client.

HTML5/JavaScript clients always have to be public clients because there is no way to transmit the client secret to them in a secure manner.

We have webapps which connect to Jetty and use auth. So, we have created a public client and it works awesome for webapp/REST authentication.
The problem is as soon as we enable authorization, client type gets converted to Confidential from Public and it does not allow the reset it as Public. Now, we are in soup. We cannot have public clients due to authorization and we cannot connect webapps to confidential client.
This seems to be contradictory to us. Any idea why client needs to be confidential for authorization? Any help on this how can we overcome this issue?
Thanks.

Answer

maslick picture maslick · Jun 30, 2019

As far as I understood, you have your frontend and backend applications separated. If your frontend is a static web-app and not being served by the same backend application (server), and your backend is a simple REST API - then you would have two Keycloak clients configured:

  • public client for the frontend app. It would be responsible for acquiring JWT tokens.
  • bearer-only client, which would be attached to your backend application.

To enable authorization you would create roles (either realm or client scoped, start on the realm level as it's easier to comprehend). Every user would then be assigned a role/s in the Keycloak admin UI. Based on this you should configure your keycloak adapter configuration (on the backend).

All things considered, in order to talk to your REST API, you would attach a JWT token to each HTTP request in the Authorization header. Depending on your frontend framework, you can use either of these:

P.S. For debugging I have just written a CLI tool called brauzie that would help you fetch and analyse your JWT tokens (scopes, roles, etc.). It could be used for both public and confidential clients. You could as well use Postman and https://jwt.io

HTH :)

Related questions

java.lang.UnsatisfiedLinkError no *****.dll in java.library.path

How can I load a custom dll file in my web application? I've tried the following: Copied all required dlls in system32 folder and tried to load one of them in Servlet constructor System.loadLibrary Copied required dlls into tomcat_…

Read More
Who sets response content-type in Spring MVC (@ResponseBody)

I'm having in my Annotation driven Spring MVC Java web application runned on jetty web server (currently in maven jetty plugin). I'm trying to do some AJAX support with one controller method returning just String help text. Resources are in …

Read More
Address already in use: JVM_Bind java

Some times whenever I restart the application, which is built on Java Struts Mysql and Jboss 4.05 Version I get the error as Address already in use: JVM_Bind Only fix that i know is to restart the machine and try …

Read More