0

Hi i am a bit confused as to how to secure applications through keycloak, the website shows how to secure clients. The application which i need to secure in my setup is a desktop application which uses keycloak + keycloak-gatekeeper protected endpoints.

i managed to get it working using the following library in python

https://bitbucket.org/agriness/python-keycloak/src/master/

however, it requires me to enter the client-secret and i am wondering if this is safe?

also, when i use the browser login instead, the browser doesnt need the client secret, but goes though gatekeeper, this tells me that i am doing something wrong here.

thanks

Benjamin Hon
  • 143
  • 1
  • 11

2 Answers2

0

Use public access type client (Clients doc):

Public access type is for client-side clients that need to perform a browser login. With a client-side application there is no way to keep a secret safe. Instead it is very important to restrict access by configuring correct redirect URIs for the client.

You can change access type on clients - choose client - settings tab admin interface.

Vadim Ashikhman
  • 9,851
  • 1
  • 35
  • 39
0

keycloak client

in your case, I would use Access type as confidential and Authorization Enabled > on

and you should use the secrecy key to authorize your call to keylock when you want to interact with keycloak API 

Keycloak keycloak = KeycloakBuilder.builder()
                .serverUrl("localhost")
                .realm("myRealm")
                .grantType(OAuth2Constants.PASSWORD)
                .clientId("myclient")
                .clientSecret("xxxx-xxxxx-xxxx-xxx")
                .username("foo")//the admin user
                .password("password")
                .build();
keycloak.realm("myRealm").users().list();
Noa
  • 315
  • 1
  • 7
  • 31