Keycloak-js confidential client (as negative example!)


I’m trying to set up a demo application for “how not to do oauth/oidc”.
It’s a react application with keycloak-js. Is it possible to force it to act as a confidential client?
Are there some parameters I can pass to keycloak.init?

I now that a SPA can not keep secrets, this is only a bad example to help understand oidc



this was possible some time ago, but it was removed for security reasons. It was removed in this PR: Jira says it was fixed in 8.0.0 so before this version it should be working.


1 Like