22 lines
1.4 KiB
Text
22 lines
1.4 KiB
Text
|
[[_access_types]]
|
||
|
|
= Client Access Types
|
||
|
|
|
||
|
|
When you create a Client in admin console you may be wondering what the "Access Types" are.
|
||
|
|
|
||
|
|
confidential::
|
||
|
|
Confidential access type is for clients that need to perform a browser login and that you want to require a client secret when they turn an access code into an access token, (see http://tools.ietf.org/html/rfc6749#section-4.1.3[Access Token Request] in the OAuth 2.0 spec for more details). The advantages of this is that it is a little extra security.
|
||
|
|
Since Keycloak requires you to register valid redirect-uris, I'm not exactly sure what this little extra security is though.
|
||
|
|
:) The disadvantages of this access type is that confidential access type is pointless for pure Javascript clients as anybody could easily figure out your client's secret!
|
||
|
|
|
||
|
|
public::
|
||
|
|
Public access type is for clients that need to perform a browser login and that you feel that the added extra security of confidential access type is not needed.
|
||
|
|
FYI, Pure javascript clients are by nature public.
|
||
|
|
|
||
|
|
bearer-only::
|
||
|
|
Bearer-only access type means that the application only allows bearer token requests.
|
||
|
|
If this is turned on, this application cannot participate in browser logins.
|
||
|
|
|
||
|
|
direct access only::
|
||
|
|
You would also see a "Direct Access Only" switch when creating the Client.
|
||
|
|
This switch is for clients that only use the <<_direct_access_grants,Direct Access Grant>> protocol to obtain access tokens.
|