Damn, I knew I forgot something... You are totally right, this is missing! Thanks anyway, I'm happy you like it. Hopefully with your comment, people will see this issue with implicit flow.

😍🤩🙏

Same same, but different. ;) "Confidential" is now "Authentication required on" and "public" is "Authentication required off". There's no explicit type for a "Bearer-only" client, as these clients do not necessarily be configured.

@@dasniko but what if I need a client for the backend service which can use already generated token by the frontend?

Authorization Code Grant is possible with public clients, but usage of PKCE is highly recommended (kind of mandatory, from a security perspective, not from the current specs, but it is mentioned in the OAuth2 best practices guide.)

I am still trying to figure out the same thing. From this video, I got the impression that a backend service that has an API that others need to authorize against, can be a bearer-only. While a backend service that wants to call that API, should be confidential, and can then use the client credentials flow (service account in Keycloak) to get authorized. Would be great to have confirmation on that.

@@fortytoo4u If you have a back-end service that receives access tokens as part of a request then that could be a bearer-only client, validating the token against the introspect or userinfo endpoint. If, however, you have a backend service that doesn't receive a token from an http request (e.g. this service reads a message queue and then needs to call other services via rest), this service will need to get a token..in this case the message queue reading service is a confidential client..eg reads message--calls Keycloak as confidential client--receives token--calls other rest services

For mobile apps it is still recommended to use auth code flow with PKCE extension with Chrome Custom Tabs (Android) , it is more secure version of Web Views as app doesn't have an access to Chrome Custom Tabs. You don't want to use browser as user leaves the app context.

@@samiraghayarov6898 thank you ! What about the user experience ? do you have a real example ?

Your public client (SPA) can't deal with authorizations. You'll have to make the request to the backend with the frontend access_token. Backend needs to be confidential client (with e.g. clientid/-secret) and send the received access_token for authorization policy evaluation to Keycloak to get the RPT back.

They are no more available since the new Admin-Ui, as they are not needed, actually.

Keycloak is OIDC. In OIDC spec, JWT format is mandatory.

Keycloak does support this since version 1.x as it is in the OAuth2 spec and Keycloak is OIDC and OAuth2 compliant.

You would probably need to setup a confidential client, since in the case of metamask you're making various backend calls, unlike an SPA. From my understanding, the reason you would use a public client for SPA or mobile, is because the services are built-in, thus not requiring backend calls to reach protected areas.

@@dunebuggy1292 I can create a new confidential client but how to auto login and create user session after user login through metamask from browser is where the problem is.

Which Acces Type do i need for the backend server? Which flow? And is there a rest api so the backend can request the token or pub key?

Frontend (angular) is public client with standard (auth code) grant and pkce enabled Backend is "bearer-only" and doesn't need to be configured in Keycloak. Depending on the library used there, it is self-configuring with the IdP-URL or you have to provide the public key for token verification. Frontend sends the access_token with every request to the backend in Authorization header as Bearer token.