Hello,
I am struggling to understand how come you can’t use fine-grained authorization with a public client.
From my understanding of the OAuth2 process, in all cases you will need to ask the authz server (Keycloak) to grant you the correct authorizations. Therefore, why could you only use role-based access control when using public client ?
Confidential clients are applications that are able to securely authenticate with the authorization server, for example being able to keep their registered client secret safe.
Does this mean keycloak will only allow fine-grained authorization after insuring the client is securely authanticated ? If yes, why ?
Thanks !