keycloak-scim/topics/access-types.adoc
Bill Burke 64d41decc7 add
2016-04-18 11:15:25 -04:00

21 lines
1.4 KiB
Text
Executable file

[[_access_types]]
= Client Access Types
When you create a Client in admin console you may be wondering what the "Access Types" are.
confidential::
Confidential access type is for clients that need to perform a browser login and that you want to require a client secret when they turn an access code into an access token, (see http://tools.ietf.org/html/rfc6749#section-4.1.3[Access Token Request] in the OAuth 2.0 spec for more details). The advantages of this is that it is a little extra security.
Since Keycloak requires you to register valid redirect-uris, I'm not exactly sure what this little extra security is though.
:) The disadvantages of this access type is that confidential access type is pointless for pure Javascript clients as anybody could easily figure out your client's secret!
public::
Public access type is for clients that need to perform a browser login and that you feel that the added extra security of confidential access type is not needed.
FYI, Pure javascript clients are by nature public.
bearer-only::
Bearer-only access type means that the application only allows bearer token requests.
If this is turned on, this application cannot participate in browser logins.
direct access only::
You would also see a "Direct Access Only" switch when creating the Client.
This switch is for clients that only use the <<_direct_access_grants,Direct Access Grant>> protocol to obtain access tokens.