Confusion about public/confidential clients

This might have been asked a lot already. My primary interest in Keycloak is in securing REST backends for javascript single page applications. I have full control over both ends. The easiest way to do this is to use a public client, as this does not require a client secret nor a backchannel. But then I can’t use the UMA and resource protection features, right?

It’s also been said a few times that public clients are discouraged because of security implications. So what is the alternative? Do I need to host a secure backend with the credentials to hand a token to the browser frontend? Or how is all this supposed to work? Most examples seem to be for multi-page applications.

Esential question for SPA: Can the SPA application keep secrets away from malicious users? Answer: No → you have to use public client for the SPA (backend/API is different problem).

I would say that public clients are not discouraged. Only deprecated flows (implicit flow) shouldn’t be used. SPA apps use Authorization Code with PKCE flow with public client usually.


What @jangaraj wrote, plus additionally the fact, that public clients are by design and nature less secure than confidential ones. This is not necessarily a security concern (but might be/become one), but it’s always good to consider that if you run a public client. Adjust your token lifetimes accordingly and take a second and third look at the data you are mapping into the tokens, while they are exposed publicly.


Ok, so if I understand you correctly you are recommending to use a public client with PKCE. But this also means that I can’t use the UMA and resource server access API stuff in keycloak, right? Because for that I would need to set the client to be confidential…