Public client and authorization


We currently have a live frontend application that authenticates our AD users against a public client on Keycloak, and it works great. It consumes resources from one of our APIs. The next step would be to set up resource scopes and permissions, but we are not sure how to go about it. I don’t seem to be able to add the authorization tab to a public client. I also don’t seem to be able to login through the browser if I make the client confidential. Should I have two clients, one public and one confidential? How would that work?

Please advise.

In order to use the client authorization features the client must be setup as confidential, and the authorization flag needs to be turned on.

I played around with this feature, but I don’t have real world experience with it.