Hi, I recently found a problem that allowed me to get secret from public clients.
To do this, I needed to open
http://localhost:8080/auth/realms/master/clients-registrations/default/security-admin-console
where I see a secret field with a value that is in my database.
I did the same actions with other public clients in other realms and I also got their secrets
Since I can easily change the client type from public to private, this can create a security problem. And while I have not seen any warning not to do this in the documentation, I think that this is normal.
In the specification OAuth 2.0 Dynamic Client Registration Management Protocol I found that the secret should only be returned by confidential clients and I think this is correct
Do you think this is a security problem?
Can I hide my secret from Keycloak’s answer?