I am very aware that you can’t store your secret on a front end app, however, is there any way to work around this thus still having the benefits while using the javascript adapter.
I’m guessing using the JWT token option lead to the same issue.
I’ve read about using 2 different clients, one as a confidential admin and the other as a public client. All though I don’t see how it is any better as the secret will still be held publicly, just in a different location.
Should I look deeper into this, are there any other workaround ?
The OpenID Connect protocol has a special case for javascript apps running on the browser.
You can a public client and it basically works the same at the end.
It is advisable to use PKCE.
Not sure if I got what you meant here. Do you want to use the Keycloak admin API from your javascript app in the browser? If that is so, it’s not a good idea to keep the admin client secret at the client.