As always, great content Niko. However, you didn't mention that for a public client you should move away from Implicit Flow towards Auth Code with PKCE and how to configure Auth Code with PKCE configured in Keycloak. Anyway kudos for creating this Keycloak series.
Damn, I knew I forgot something... You are totally right, this is missing! Thanks anyway, I'm happy you like it. Hopefully with your comment, people will see this issue with implicit flow.
I have a SPA, the user has logged-in with public client, but the backend API has authorizations to read/write/delete resources. When use Public client (without client-secret) how can manage and use the resource authorization's ?
Your public client (SPA) can't deal with authorizations. You'll have to make the request to the backend with the frontend access_token. Backend needs to be confidential client (with e.g. clientid/-secret) and send the received access_token for authorization policy evaluation to Keycloak to get the RPT back.
Same same, but different. ;) "Confidential" is now "Authentication required on" and "public" is "Authentication required off". There's no explicit type for a "Bearer-only" client, as these clients do not necessarily be configured.
Hi Niko, Thanks for the explanation. I am facing configuring public IP addresses on keycloak. would you mind telling if any specific configuration needs to be noted?
I could use some help I have an Angular application, a keyloak server and a backend server. I control the login process between the Angular application and the keycloak server with the public access type (standard flow). The Angular application now has the access token. I want to send requests to the backend. The backend is supposed to validate the token somehow, but for that it has to somehow get the access token or pub-key from the keycloak server. Can someone help me there?
Frontend (angular) is public client with standard (auth code) grant and pkce enabled Backend is "bearer-only" and doesn't need to be configured in Keycloak. Depending on the library used there, it is self-configuring with the IdP-URL or you have to provide the public key for token verification. Frontend sends the access_token with every request to the backend in Authorization header as Bearer token.
Hello, great video. I am looking for some examples where I can use Keycloak to power a frontend application login flow and also provide User and Role management capabilities, like CRUD on keycloak roles and users right from the frontend application. I am having hard time in finding help on this topic and any help would be appreciated. Super thankyou
Hello Niko, I was wondering, which OAuth 2.0 flow public clients use? I have this doubt since Authorization Code Flow should teoretically require always a client secret
Authorization Code Grant is possible with public clients, but usage of PKCE is highly recommended (kind of mandatory, from a security perspective, not from the current specs, but it is mentioned in the OAuth2 best practices guide.)
Very nice video, but i am still not sure what to use for my backend services. I have services that communicate with each other and services that communicate with the frontend (even services that communicate both with the frontend AND with another service) The frontend will handle all the login stuff . So should i use a confidential client with a service account or should i use a bearer-only client for the backend services?
I am still trying to figure out the same thing. From this video, I got the impression that a backend service that has an API that others need to authorize against, can be a bearer-only. While a backend service that wants to call that API, should be confidential, and can then use the client credentials flow (service account in Keycloak) to get authorized. Would be great to have confirmation on that.
@@fortytoo4u If you have a back-end service that receives access tokens as part of a request then that could be a bearer-only client, validating the token against the introspect or userinfo endpoint. If, however, you have a backend service that doesn't receive a token from an http request (e.g. this service reads a message queue and then needs to call other services via rest), this service will need to get a token..in this case the message queue reading service is a confidential client..eg reads message--calls Keycloak as confidential client--receives token--calls other rest services
Thanks for the video , what about the mobile apps ? Which profile to choose without having a flow that requires an authentication using the browser (which is a bad user exprience) because confidential is not secure , a malicious user can unpack the app and get the secret
For mobile apps it is still recommended to use auth code flow with PKCE extension with Chrome Custom Tabs (Android) , it is more secure version of Web Views as app doesn't have an access to Chrome Custom Tabs. You don't want to use browser as user leaves the app context.
I have a angular website which has keycloak login flow. I need to implement a new login flow wherein user can be authenticated with metamask or similar plugin. I manually save these users manually in keycloak with their public address as username. Any ideas how can I login such users authenticated from browsers plugins to the website?
You would probably need to setup a confidential client, since in the case of metamask you're making various backend calls, unlike an SPA. From my understanding, the reason you would use a public client for SPA or mobile, is because the services are built-in, thus not requiring backend calls to reach protected areas.
@@dunebuggy1292 I can create a new confidential client but how to auto login and create user session after user login through metamask from browser is where the problem is.
@Niko, at 03:25 you said "Confidential" client can exchange authorization code together with client id and client secret for an access token of user. Could you please clarify your statement, I mean isn't confidential client mean the back channel clients? In other words, the backend applications. Why backend to backend authorization need to use code flow? Shouldn't it just exchange client id & secret for an access token?
Bearer-only clients were still a mystery for me before this video. Thanks!
You rock Nikö ! Clear and very understandable, thank you ! Let Keycloak live long !
Falling in love with dasniko's style of tech talks. I wish I can give multiple Thumbs up.
😍🤩🙏
As always, great content Niko. However, you didn't mention that for a public client you should move away from Implicit Flow towards Auth Code with PKCE and how to configure Auth Code with PKCE configured in Keycloak. Anyway kudos for creating this Keycloak series.
Damn, I knew I forgot something... You are totally right, this is missing!
Thanks anyway, I'm happy you like it. Hopefully with your comment, people will see this issue with implicit flow.
Hi can you please explain on latest Keylock 22 version ?
Thank you for the awesome video, Niko!
Thank you! Vielen Dank!
thanks @Niko - great tutorial
Great video !
Great
Super, thanks
I have a SPA, the user has logged-in with public client, but the backend API has authorizations to read/write/delete resources.
When use Public client (without client-secret) how can manage and use the resource authorization's ?
Your public client (SPA) can't deal with authorizations. You'll have to make the request to the backend with the frontend access_token. Backend needs to be confidential client (with e.g. clientid/-secret) and send the received access_token for authorization policy evaluation to Keycloak to get the RPT back.
In version 21 I can't see anywhere the option to configure a bearer only client...
They are no more available since the new Admin-Ui, as they are not needed, actually.
Hi Nico,
thank you for your excellent work.
What happened with the client access types in the quarkus-version of Keycloak (currently 21+).
Same same, but different. ;)
"Confidential" is now "Authentication required on" and "public" is "Authentication required off". There's no explicit type for a "Bearer-only" client, as these clients do not necessarily be configured.
@@dasniko but what if I need a client for the backend service which can use already generated token by the frontend?
Hi Niko, Thanks for the explanation. I am facing configuring public IP addresses on keycloak. would you mind telling if any specific configuration needs to be noted?
I could use some help I have an Angular application, a keyloak server and a backend server.
I control the login process between the Angular application and the keycloak server with the public access type (standard flow). The Angular application now has the access token. I want to send requests to the backend. The backend is supposed to validate the token somehow, but for that it has to somehow get the access token or pub-key from the keycloak server. Can someone help me there?
Which Acces Type do i need for the backend server? Which flow? And is there a rest api so the backend can request the token or pub key?
Frontend (angular) is public client with standard (auth code) grant and pkce enabled
Backend is "bearer-only" and doesn't need to be configured in Keycloak. Depending on the library used there, it is self-configuring with the IdP-URL or you have to provide the public key for token verification.
Frontend sends the access_token with every request to the backend in Authorization header as Bearer token.
Hello, great video. I am looking for some examples where I can use Keycloak to power a frontend application login flow and also provide User and Role management capabilities, like CRUD on keycloak roles and users right from the frontend application. I am having hard time in finding help on this topic and any help would be appreciated. Super thankyou
Hi, can two clients in the same realm communicate with each other on keycloak ? if yes, how ? if no, why ?
Hello Niko, I was wondering, which OAuth 2.0 flow public clients use? I have this doubt since Authorization Code Flow should teoretically require always a client secret
Authorization Code Grant is possible with public clients, but usage of PKCE is highly recommended (kind of mandatory, from a security perspective, not from the current specs, but it is mentioned in the OAuth2 best practices guide.)
does keycloack 20 support client_credentials grant type ?
Keycloak does support this since version 1.x as it is in the OAuth2 spec and Keycloak is OIDC and OAuth2 compliant.
Very nice video, but i am still not sure what to use for my backend services. I have services that communicate with each other and services that communicate with the frontend (even services that communicate both with the frontend AND with another service)
The frontend will handle all the login stuff . So should i use a confidential client with a service account or should i use a bearer-only client for the backend services?
I am still trying to figure out the same thing. From this video, I got the impression that a backend service that has an API that others need to authorize against, can be a bearer-only. While a backend service that wants to call that API, should be confidential, and can then use the client credentials flow (service account in Keycloak) to get authorized.
Would be great to have confirmation on that.
@@fortytoo4u If you have a back-end service that receives access tokens as part of a request then that could be a bearer-only client, validating the token against the introspect or userinfo endpoint. If, however, you have a backend service that doesn't receive a token from an http request (e.g. this service reads a message queue and then needs to call other services via rest), this service will need to get a token..in this case the message queue reading service is a confidential client..eg reads message--calls Keycloak as confidential client--receives token--calls other rest services
Thanks for the video , what about the mobile apps ? Which profile to choose without having a flow that requires an authentication using the browser (which is a bad user exprience) because confidential is not secure , a malicious user can unpack the app and get the secret
For mobile apps it is still recommended to use auth code flow with PKCE extension with Chrome Custom Tabs (Android) , it is more secure version of Web Views as app doesn't have an access to Chrome Custom Tabs. You don't want to use browser as user leaves the app context.
@@samiraghayarov6898 thank you ! What about the user experience ? do you have a real example ?
I have a angular website which has keycloak login flow. I need to implement a new login flow wherein user can be authenticated with metamask or similar plugin. I manually save these users manually in keycloak with their public address as username. Any ideas how can I login such users authenticated from browsers plugins to the website?
You would probably need to setup a confidential client, since in the case of metamask you're making various backend calls, unlike an SPA. From my understanding, the reason you would use a public client for SPA or mobile, is because the services are built-in, thus not requiring backend calls to reach protected areas.
@@dunebuggy1292 I can create a new confidential client but how to auto login and create user session after user login through metamask from browser is where the problem is.
great video. can you please do a video on policy and permissions please.
@Niko, at 03:25 you said "Confidential" client can exchange authorization code together with client id and client secret for an access token of user. Could you please clarify your statement, I mean isn't confidential client mean the back channel clients? In other words, the backend applications. Why backend to backend authorization need to use code flow? Shouldn't it just exchange client id & secret for an access token?
Can you access the rest API from all three access types???
you should provide a better example of a proper redirect url than "/*" in the public client description
is reference/opaque/phantom token supported by keycloak? I don’t think they support based on my own research, is there a way we could make this work?
Keycloak is OIDC. In OIDC spec, JWT format is mandatory.