Standard flow and access type

Hi to all, I’ve a question regarding the access type and the authentication flow.
If I set in a realm the access type to public i can enable the standard flow (like the implicit flow)
With standard flow I’ve to use the code and the client secret to close the authentication flow.

the problem is that using “public” like access type is not present the credential tab, so I haven’t the client secret.

is normal?

thanks!

Standard auth code flow is also possible for public clients. There’s no restriction that a client needs a clientId and secret, only the confidential clients need this. Public clients have to be properly configured with valid redirect uri’s and you SHOULD enable and enforce PKCE, this makes it more secure.

Don’t use implicit flow at all, it’s strongly discouraged as it is considered insecure as of todays knowledge.

2 Likes

Thanks for reply! maybe I’m missing something. If I configure a client to use the standard flow, then i’ve to configure my client to send the response type “token code”. using “token code” I can retrieve from the authorization server only the code and not the access token. with the code and without the secret I can’t retrieve the access token.
for example using the oidc debugger site and setting like response type code I correctly retrieve from my keycloak server only the code that I’ve to spent again with authorization server to retrieve the access token. but since I’m i public client I’ven’t the secret to use with the code. I don’t know If I’ve explain it well.

thanks!

Do you have idea how to enforce PKCE flow for public client in the Keycloak, please? I’m not able to find any config for that, so I’m curious how to force it. Thanks.

Ok, I’ve search on internet. keycloak is already pkce compliant, you have to select public, standard flow and eventually the Proof Key for Code Exchange Code Challenge Method in advanced settings. Client side the call to keycloak should include the appropriate parameters like code_challenge.

thanks for clarifications

1 Like

@nestle2377 already found it… :slightly_smiling_face:
It‘s located in „Advanced Settings“:

Hi all,
I am using keycloak server 21.0.2 and into the client settings i have this regarding the type of the flows

Currently the tokens are generated using authentication code generated by keycloak and secret key of the client. I don’t see anywhere in the current configuration of the version of the keycloak server, to configure it as public.

One more question: Which configuration settings should be used in order to validate the tokens? How an application using OpenId can validate the tokens that are actually generated by keycloak?

Thank you in advance.

Click on the questionmark at “Client authentication”, there it’s mentioned that if client authentication is on, it’s a confidential client, if it is off, it’s a public client.

Use a proper OIDC library in your client, which does that for you. Don’t implement it on your own.