react-native-keycloak
react-native-keycloak copied to clipboard
react-keycloak
unauthorized_client: Client secret not provided in request
I am using Google identity provider, by calling keycloak.login({idpHint: 'google'}) function, a new user gets created successfully on keycloak admin console, but I am unable to get its access token. The call for access token is being made internally by this package. Is there a way to provide clientSecret to the KeyCloak?
Hi Sorry for the late answer, we need a repro for some tests otherwise we cannot help
Hi @IronTony Is there a way to provide client secret?
In my local I have keycloak server with access type as confidential. Now when I set this, client_secret query parameter becomes necessary to be passed into the URL.
From the docs, I can pass only clientId, url, realm and oidcProvider (not sure what it is for).
But I cannot find the parameter where I can pass this client secret. Any help is appreciated. Thanks.
Can you explain how you managed to fix this issue ?
I have the same problem. I need to provide the client secret but I see no way of doing so.
Thanks
Hi @ronangaillard . In keycloak, to connect to keycloak secured servers, you need client-secret. But when you are authenticating through front-end, you don't need to pass client-secret. You need to pass nonce and implicit flow type.
The way I have configured it via this way:
keycloak config
const keycloak = new RNKeycloak({ clientId: config.KEYCLOAK.clientId, realm: config.KEYCLOAK.realm, url: config.KEYCLOAK.url, });
keycloak initoptions
const keycloakInitOptions = {
flow: 'implicit',
// if you need to customize "react-native-inappbrowser-reborn" View you can use the following attribute
inAppBrowserOptions: {
// For iOS check: https://github.com/proyecto26/react-native-inappbrowser#ios-options
// For Android check: https://github.com/proyecto26/react-native-inappbrowser#android-options
},
redirectUri: 'somecallbackurl',
useNonce: true,
};
Via this method, you will get the authToken but you will not get refreshToken from keycloak. So what you can do is, once the token expires you have to re-validate it from keycloak.
Hope this helps. Let me know if there is anything I can do to help you out.
Cheers
Unfortunately the people I'm working with require me to use client secret, even if it's bad practice.
Here is a dirty implementation I made
@react-keycloak+keycloak-ts+0.2.4.patch.txt
Not sure it's a good idea as this is not something you want to incite
@abhisheksaxenaa could you elaborate the re-validation of the token? How do we accomplish it without the refresh token? Do you mean, that the user has to enter the credentials again, so basically signing in every time the token expires?
@seco35 If you are using client secret, which is not recommended, then you can get the refresh token out of keycloak. Without refresh token it is not possible to revalidate the token as per my understanding. Maybe I need to do some research if it's possible or not.
Yes, without refresh token user has to sign in every time the token expires.
@seco35 If you are using client secret, which is not recommended, then you can get the refresh token out of keycloak. Without refresh token it is not possible to revalidate the token as per my understanding. Maybe I need to do some research if it's possible or not.
Yes, without refresh token user has to sign in every time the token expires.
Can you tell me where to enter the client secret? I don't know how to configure it properly.
Edit: I ended up using the above mentioned implementation of @ronangaillard works for now. Could someone tell what the security risks are, when providing the client secret? I mean the connection is done using https when in production and no one is potentially be able to read the information right?