I’m currently trying to register / login from my mobile app.
Since I don’t want to use the default keycloak webpages for these purposes, I found out that I can use the REST API (e.g. Keycloak REST API: Create a New User - Apps Developer Blog) .
Next to the blog I found this interesting video: Keycloak login Android using API - YouTube
What he’s doing there is to store the client_secret in its app and proceed with it further.
Now I’m asking myself, is it really safe to use the client_secret in a public app ?
Could it be a target for attacks ?
And if yes what would your advice be to implement login register event natively on my app ?
Thanks !
And…. It‘s not the Keycloak REST API - it‘s the Keycloak ADMIN REST API.
It‘s meant for administering and management purposes. Not for handling user auths.
Very sad that it isn’t that easily possible
How about using my backend as a middle man ? Maybe a flow like this:
1.) App user registers through a backend call (POST /users/XYZ) with username and password in request body with a TLS encrypted connection
2.) Backend (which has the client secret since it is trusted) creates the user via the mentioned Keycloak Admin REST API and returns the token to the client.
3.) Every incoming request of the app user includes the token.
In that case I wouldn’t expose the client secret. Would that be a possible alternative ?
Alternatively use the auth code received by the frontend in query param after login and send that to backend, and send the tokens to frontend then from backend.
