kwoyke
commented
2 years ago Hi @dbuchwald , Thanks for the feedback! We'll take a look into this and get back to you.
Closed dbuchwald closed 2 years ago
kwoyke
commented
2 years ago Hi @dbuchwald , Thanks for the feedback! We'll take a look into this and get back to you.
yadappagol
commented
2 years ago keycloak server is not working
dbuchwald
commented
2 years ago keycloak server is not working
Can you let me know more details? Is it related to my pull request, or general keycloak issue?
lor6
commented
2 years ago Thanks @dbuchwald I'll close this issue now that the PR is merged.
newClient is defined in Keycloak as "confidential" and client_secret is required to obtain token. This would have made sense if the token was retrieved using direct connection between the client application server and authorization server, because this communication would have never occurred in user browser. However, given how this is currently implemented, client secret is passed to user browser and used in POST operation there, making it insecure. Therefore two changes are required: newClient must be defined as "public" (to prevent client_secret being required by Keycloak to issue token), and the Angular client application must not contain client secret.
Relevant PR will be created shortly.