Public client and authorization

Hi!

We currently have a live frontend application that authenticates our AD users against a public client on Keycloak, and it works great. It consumes resources from one of our APIs. The next step would be to set up resource scopes and permissions, but we are not sure how to go about it. I don’t seem to be able to add the authorization tab to a public client. I also don’t seem to be able to login through the browser if I make the client confidential. Should I have two clients, one public and one confidential? How would that work?

Please advise.

In order to use the client authorization features the client must be setup as confidential, and the authorization flag needs to be turned on.

I played around with this feature, but I don’t have real world experience with it.

From what I understand, OP does know this, his/her question was that why is this so and how should we get around it.

Currently we have a very similar requirement, so I’m trying to explore the options as well. We have two SPA applications (one for regular users and one for the users who are also administrators), they have two public clients in keycloak to authenticate. We want to be able to discriminate users, only log in to the backoffice applications the users who have administrator role - but we can not do this since this is only available on confidential clients and SPA-s are not confidential.