Keycloak is an open-source Identity and Access Management (IAM) solution that provides authentication, authorization, and user management capabilities. One of the critical concepts in Keycloak is clients. Clients represent applications that interact with Keycloak to authenticate users and gain access to secured resources. These clients can be categorized into two types: public and confidential.
In this blog post, we’ll explore the differences between public and confidential clients, explain how to create them, and provide real-world scenarios to help you decide when to use each type.
Public Clients
What are Public Clients?
A public client is an application that cannot securely store sensitive information, such as client credentials. As a result, public clients do not require client authentication (no client secret or certificate is needed) when requesting access tokens from Keycloak. This type of client is typically used for applications running in environments where storing secrets securely is challenging, such as in a browser or mobile app.
Characteristics of Public Clients:
- No client secret: Since the application cannot securely store the client secret, it does not have one.
- Implicit or Authorization Code Flow: Public clients typically use the Authorization Code Flow with PKCE (Proof Key for Code Exchange), which adds an extra security layer by preventing token interception attacks.
- Vulnerable Environment: These clients operate in environments where the code or client can be reverse-engineered, like in browsers or mobile devices.
When to Use a Public Client:
- Mobile Applications: A mobile app installed on a user’s phone cannot securely store a client secret. A public client is used here with PKCE to enhance security.
- Single Page Applications (SPAs): SPAs running in the browser are also treated as public clients. They use OAuth 2.0 Authorization Code Flow with PKCE for security.
Real-World Scenario for Public Clients:
- Mobile Banking App: A banking app for iOS or Android needs to authenticate users and obtain an access token. Since it’s a mobile app and cannot store secrets securely, it would be configured as a public client, using Authorization Code Flow with PKCE to protect against code interception.
Confidential Clients
What are Confidential Clients?
A confidential client is an application that can securely store sensitive information, such as a client secret or certificate. These clients are usually server-side applications, like back-end services or web servers, where the secret can be securely stored and is not exposed to the public. Confidential clients must authenticate themselves with Keycloak using their client credentials (client ID and secret) to request tokens.
Characteristics of Confidential Clients:
- Requires client secret: Confidential clients must have a client secret (or client certificate) to authenticate themselves when interacting with Keycloak.
- Authorization Code Flow: Confidential clients use the Authorization Code Flow without the need for PKCE, as the client itself can authenticate securely.
- Server-side: These clients typically run on the server side, where sensitive information like client secrets can be stored securely.
When to Use a Confidential Client:
- Backend Services: Use a confidential client for backend services that can securely store a client secret or certificate.
- Web Applications: Server-side web applications, such as Spring Boot, ASP.NET, or Node.js apps, which manage session states and user sessions on the server, are good candidates for confidential clients.
Real-World Scenario for Confidential Clients:
- E-Commerce Web Server: An e-commerce website with a backend written in Java that manages user sessions and communicates with Keycloak for authentication. Since the backend can securely store secrets, it would be configured as a confidential client, exchanging tokens securely with Keycloak.
How to Create Public and Confidential Clients in Keycloak
Creating a public or confidential client in Keycloak is straightforward. Below are the steps:
Step 1: Log in to Keycloak Admin Console
- Open your Keycloak Admin Console at
http://localhost:8080/auth/admin/(or the appropriate URL for your Keycloak instance). - Log in with your admin credentials.
Step 2: Create a Client
- In the left-hand menu, navigate to Clients under your desired realm.
- Click on the Create button.
Step 3: Configure the Client
- Client ID: Choose a unique client ID for your application.
- Client Protocol: Select
openid-connect(for OAuth2/OIDC). - Root URL: Specify the base URL of your application (optional).
Step 4: Choose the Access Type
Here is where you decide whether the client is public or confidential.
- Public Client: Disable client authentication (default). This will disable the client secret field.
- Confidential Client: Enable client authentication. You will need to generate or provide a client secret for this option.
Step 5: Save the Client
After selecting the desired client type and providing all required information, click Save.
When to Use Public vs. Confidential Clients
| Scenario | Client Type | Reason |
|---|---|---|
| Mobile App (iOS, Android) | Public | Mobile apps can’t securely store secrets; use Authorization Code with PKCE. |
| Single Page Application (React, Angular) | Public | SPAs running in browsers are vulnerable to reverse engineering. |
| Backend Service (Java, Node.js, etc.) | Confidential | Server-side apps can securely store client secrets. |
| Machine-to-Machine API communication | Confidential | APIs and backends can securely exchange secrets using client credentials. |
| Desktop App with Secure Storage | Confidential (sometimes) | If the desktop app has secure storage for secrets, confidential may work. |
Conclusion
In summary, public clients are ideal for applications like mobile apps or SPAs that cannot securely store secrets, while confidential clients are suitable for server-side applications that can handle sensitive information. Knowing the difference between these two types of clients helps you secure your applications correctly and ensure proper communication between your app and Keycloak.
By understanding these distinctions, you can now create and configure Keycloak clients that match the security needs of your applications, ensuring safe and efficient user authentication.
MaheshNotes 
Leave a comment