Is it safe to use the client secret in a public mobile app?

Hello everyone !

I’m currently trying to register / login from my mobile app.
Since I don’t want to use the default keycloak webpages for these purposes, I found out that I can use the REST API (e.g. Keycloak REST API: Create a New User - Apps Developer Blog) .

Next to the blog I found this interesting video: Keycloak login Android using API - YouTube
What he’s doing there is to store the client_secret in its app and proceed with it further.

Now I’m asking myself, is it really safe to use the client_secret in a public app ?
Could it be a target for attacks ?

And if yes what would your advice be to implement login register event natively on my app ?
Thanks !

1 Like

No, it is not safe.
See also this thread: Custom Login Page with social login (not the one from Keycloak) (Ignore the parts with „social login“, there‘s a lot of stuff about why it is important to use the KC login pages)
and this one: The final word on custom login and signup pages

And…. It‘s not the Keycloak REST API - it‘s the Keycloak ADMIN REST API.
It‘s meant for administering and management purposes. Not for handling user auths.

Very sad that it isn’t that easily possible :confused:
How about using my backend as a middle man ? Maybe a flow like this:

1.) App user registers through a backend call (POST /users/XYZ) with username and password in request body with a TLS encrypted connection
2.) Backend (which has the client secret since it is trusted) creates the user via the mentioned Keycloak Admin REST API and returns the token to the client.
3.) Every incoming request of the app user includes the token.

In that case I wouldn’t expose the client secret. Would that be a possible alternative ?

PS: Thank you for your help !

Then you have a man in the middle scenario, which you also don’t want to (must not) enforce.