I have a frontend and backend application (angular + spring boot). The frontend is served as static web content, then it sends the REST calls to the backend API on the same port.
Keycloak with OpenID protocol is used for users authentication and role management. Upon an request which requires authentication, the browser is redirected to Keycloak, user gives username and password then user roles are returned to the browser written into the access token.
Later the frontend sends this access token with every request, the backend checks the token signature against Keycloaks public key before fulfilling the request.
Currently it works fine with one public client in Keycloak. But I am required to switch to confidential client.
How is this even possible? My understanding is that confidential application requires the client secret in the token request, which can not be sent to the browser… because it is secret.
Can someone please explain?
Advertisement
Answer
You typically tend to move to the BFF-pattern to better secure your SPA applications so that you do not have to deal with tokens directly in the SPA application.
Do read more about the SPA pattern here:
The BFF Pattern (Backend for Frontend): An Introduction
This video is also a good intro to what you have to do:
alert‘OAuth 2 0’; // The impact of XSS on OAuth 2 0 in SPAs