spring-security-oauth icon indicating copy to clipboard operation
spring-security-oauth copied to clipboard

Published 20 hours ago verified publisher icon Baeldung

Client secret is passed to/from user browser

Open dbuchwald opened this issue 3 years ago • 3 comments
trafficstars

newClient is defined in Keycloak as "confidential" and client_secret is required to obtain token. This would have made sense if the token was retrieved using direct connection between the client application server and authorization server, because this communication would have never occurred in user browser. However, given how this is currently implemented, client secret is passed to user browser and used in POST operation there, making it insecure. Therefore two changes are required: newClient must be defined as "public" (to prevent client_secret being required by Keycloak to issue token), and the Angular client application must not contain client secret.

Relevant PR will be created shortly.

dbuchwald avatar Mar 27 '22 19:03 dbuchwald

Hi @dbuchwald , Thanks for the feedback! We'll take a look into this and get back to you.

kwoyke avatar May 20 '22 07:05 kwoyke

keycloak server is not working

yadappagol avatar Jul 12 '22 10:07 yadappagol

keycloak server is not working

Can you let me know more details? Is it related to my pull request, or general keycloak issue?

dbuchwald avatar Jul 12 '22 10:07 dbuchwald

Thanks @dbuchwald I'll close this issue now that the PR is merged.

lor6 avatar Sep 15 '22 14:09 lor6