-1

I'm currently setting up an angular4 project with keycloak integration. And so as I follow the examples from keycloak github repository (angular2-product-example), I created a keycloak.json client configuration file and uploaded it on my web project, which is accessible via web url. I need it there so that I can initialized the js adapter:

let keycloakAuth: any = new Keycloak('keycloak.json');

But I have a concern with regards to security, the configuration with keycloak's client secret is accessible from the url. How is it normally secured in this case?

czetsuya
  • 4,773
  • 13
  • 53
  • 99
  • "as I follow the tutorial" — What tutorial? The extra context might help people provide a good answer. – Quentin Oct 21 '17 at 08:16
  • Keycloak examples from keycloak github repository https://github.com/keycloak/keycloak/tree/master/examples/demo-template – czetsuya Oct 21 '17 at 08:38

2 Answers2

1

Frankly, this is not possible, as blocking it from being read by the user would mean blocking it from being read by Keycloak-js (they use XMLHttpRequest, but before the authorization, so requiring authorization to access keycloak.json in the first place is impossible).

As outlined in this tutorial (for React, mind you), you have to have a public client set up for your frontend, as the frontend will be exposed in vanilla code. According to this thread, a private client might work on Firefox or Chrome, but it inevitably produces a 400 through Internet Explorer, and is not guaranteed to work in either way..

P.S., since, I assume, you are using the standard Keycloak-js adapter, you can also use simply const keycloak : Keycloak.KeycloakInstance = Keycloak();, and it should automatically take the keycloak.json file that is located in the same folder. This will mean less exposure to the file name to people unfamiliar with Keycloak-js.

Resn1963
  • 21
  • 5
-1

You should use your .htaccess file to prevent access to specific files or folders on your web hosting. More info about the matter can be found on the link below:

How to prevent access with htaccess

anteAdamovic
  • 1,462
  • 12
  • 23
  • 1
    Then the client-side JavaScript which needs to read it won't be able to access it either. You could get the same effect, with less effort, by just deleting the file. – Quentin Oct 21 '17 at 08:09
  • Blocking access to file via `.htaccess` won't block it for scripts running on the same domain. If configured properly of course. – anteAdamovic Oct 21 '17 at 08:11
  • It won't block access for *server-side* scripts (but dealing with those is best done by moving the file outside the document root entirely) but the question is talking about Angular. It's about client-side scripts. – Quentin Oct 21 '17 at 08:14