Client secret is passed to/from user browser

Question

Client secret is passed to/from user browser

dbuchwald opened this issue 3 years ago · 4 comments

newClient is defined in Keycloak as "confidential" and client_secret is required to obtain token. This would have made sense if the token was retrieved using direct connection between the client application server and authorization server, because this communication would have never occurred in user browser.
However, given how this is currently implemented, client secret is passed to user browser and used in POST operation there, making it insecure.
Therefore two changes are required: newClient must be defined as "public" (to prevent client_secret being required by Keycloak to issue token), and the Angular client application must not contain client secret.

Relevant PR will be created shortly.

Answer 1 · 2022-05-20T07:41:51.000Z

Hi @dbuchwald ,
Thanks for the feedback! We'll take a look into this and get back to you.

Answer 2 · 2022-07-12T10:10:49.000Z

keycloak server is not working

Answer 3 · 2022-07-12T10:52:56.000Z

keycloak server is not working

Can you let me know more details? Is it related to my pull request, or general keycloak issue?

Answer 4 · 2022-09-15T14:41:01.000Z

Thanks @dbuchwald I'll close this issue now that the PR is merged.