Applications (clients)
An application (Keycloak client) is anything that authenticates users against the pool: a web app, SPA, mobile app, API, or a SAML service provider.
Register an OIDC app
Section titled “Register an OIDC app”- Ask the assistant: “Register a web app called storefront in acme-prod with redirect URI https://storefront.acme.com/callback.” It stages a dry-run, then applies on confirmation.
- Console: the Clients tab lists your apps.
- Keycloak: Clients → Create client (protocol OpenID Connect).
Public vs. confidential
Section titled “Public vs. confidential”| Type | Use for | Secret |
|---|---|---|
| Public | SPAs, mobile — can’t keep a secret | None; must use PKCE |
| Confidential | Server-side web apps, backends | Server-generated client secret |
Redirect URIs
Section titled “Redirect URIs”- Use exact URIs. Avoid wildcards (
*,/*) — they enable open-redirect and token theft. - The Analyzer flags wildcard redirects (and wildcard CORS web origins).
- Authorization Code + PKCE — the default and correct choice for almost everything.
- Implicit flow — deprecated; don’t enable it.
- Direct access grants (ROPC) — avoid, especially on public clients.
Register a SAML app
Section titled “Register a SAML app”- Ask the assistant: “Register a SAML client for entityID https://sp.acme.com with ACS https://sp.acme.com/saml/acs, NameID username, force POST binding.”
The assistant maps this to a SAML service-provider client with sensible defaults: sign documents on, client signature required, force POST binding, NameID = username. Override any of them in the request. It stages a dry-run before creating the client.
- Keycloak: Clients → Create client (protocol SAML), then set the Master SAML Processing URL and Assertion Consumer Service (redirect) URLs.
Client secrets
Section titled “Client secrets”Confidential clients get a server-generated secret at creation.
- Reveal & copy: the Clients tab → Reveal next to a confidential client, then Copy. Secrets are fetched only on demand, never stored in your browser, and never shown in chat. To rotate a secret, use the Keycloak admin console.