Skip to content

Applications (clients)

An application (Keycloak client) is anything that authenticates users against the pool: a web app, SPA, mobile app, API, or a SAML service provider.

  • Ask the assistant: “Register a web app called storefront in acme-prod with redirect URI https://storefront.acme.com/callback.” It stages a dry-run, then applies on confirmation.
  • Console: the Clients tab lists your apps.
  • Keycloak: Clients → Create client (protocol OpenID Connect).
Type Use for Secret
Public SPAs, mobile — can’t keep a secret None; must use PKCE
Confidential Server-side web apps, backends Server-generated client secret
  • Use exact URIs. Avoid wildcards (*, /*) — they enable open-redirect and token theft.
  • The Analyzer flags wildcard redirects (and wildcard CORS web origins).
  • Authorization Code + PKCE — the default and correct choice for almost everything.
  • Implicit flow — deprecated; don’t enable it.
  • Direct access grants (ROPC) — avoid, especially on public clients.

The assistant maps this to a SAML service-provider client with sensible defaults: sign documents on, client signature required, force POST binding, NameID = username. Override any of them in the request. It stages a dry-run before creating the client.

  • Keycloak: Clients → Create client (protocol SAML), then set the Master SAML Processing URL and Assertion Consumer Service (redirect) URLs.

Confidential clients get a server-generated secret at creation.

  • Reveal & copy: the Clients tab → Reveal next to a confidential client, then Copy. Secrets are fetched only on demand, never stored in your browser, and never shown in chat. To rotate a secret, use the Keycloak admin console.