0

I'm implementing authorization code flow using Keycloak confidential client. When using code to exchange for tokens, Keycloak requires client_secret in payloads, otherwise, Keycloak returns error: invalid client or invalid client credentials.

Is it possible to omit client_secret from exchanging token's payload? I searched for PKCE but it seems like PCKE is only used for public clients.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
Tan Nguyen
  • 70
  • 8
  • 1
    The whole point of using the confidential client is to use a client secret. What is the issue with using a public client? – dreamcrash Apr 25 '23 at 08:18
  • @dreamcrash Actually I'm implementing RBAC in Keycloak (refer: https://stackoverflow.com/questions/42186537/resources-scopes-permissions-and-policies-in-keycloak), and it requires a confidential client to set up the authorization. I also prefer public clients but I haven't figured out how to use them in that case. – Tan Nguyen Apr 25 '23 at 09:22
  • Can your client securely store a password so that nobody but the client has access to it? – sventorben Apr 26 '23 at 05:43
  • @sventorben yep – Tan Nguyen Apr 26 '23 at 10:16
  • Why not simply using the client_secret then? – sventorben Apr 29 '23 at 16:30

0 Answers0