Keycloak Client Configuration
The Sovereign Gateway for Applications
Section titled “The Sovereign Gateway for Applications”A Client in Keycloak is the “Sovereign Gateway” for an individual application or service. It represents the cryptographically defined relationship between your code and the identity provider. Whether you are securing a modern Single Page App (SPA) via OIDC with PKCE, a legacy enterprise tool via SAML 2.0, or a backend service via Client Credentials, Client configuration is where you define the specific “Truth” that each app receives. For the IAM architect, configuring clients is about enforcing Least Privilege Scopes and ensuring that sensitive user tokens are never leaked to unauthorized consumers.
The Client Integration Matrix
Section titled “The Client Integration Matrix”Designing for clients requires choosing the right access type and protocol for the application’s nature.
Strategic Integration Profiles
Section titled “Strategic Integration Profiles”| Profile | Strategic Responsibility | IAM Implementation |
|---|---|---|
| Public OIDC (SPA) | Browser-based Security. | Uses Authorization Code Flow + PKCE / No Client Secret (Not secure in browser). |
| Confidential OIDC | Server-side Security. | Uses Client Secret / ideal for backend apps and web servers. |
| Bearer-Only | API Protection. | The client does not initiate login; it only validates tokens issued to other clients. |
| SAML 2.0 Client | Legacy Enterprise. | XML metadata exchange / Handles roles and attributes via SAML assertions. |
The Application Onboarding Flow
Section titled “The Application Onboarding Flow”Integrating an app with Keycloak follows a “Define-Exchange-Authorized” path.
graph LR
Define[Define Client & Scopes] --> Exchange[Metadata / Secret Exchange]
Exchange --> Token[Token Issuance & Validation]
Define the Sovereign Scope
Configure the **Client ID** and **Access Type**. Crucially, define the "Client Scopes." These define which user attributes (Email, Groups, Profile) will be included in the token. Use "Optional Scopes" to ensure that the app only receives the data it explicitly asks for at runtime.
Secure Metadata Exchange
Configure the **Valid Redirect URIs**. This is your primary defense against "Authorization Code Injection" attacks. The App and Keycloak exchange OIDC discovery data (the `.well-known` endpoint) or SAML XML metadata to establish the cryptographic handshake parameters.
Protocol-Aware Token Issuance
The app initiates the auth flow. Keycloak validates the request, challenges the user, and issues the tokens. In the Client config, you can customize the **Protocol Mappers**—calculating custom claims or roles to ensure the JWT format perfectly matches what your application expects.
Technical Client Implementation
Section titled “Technical Client Implementation”Configuring a ‘Public’ client for a React app using PKCE is the modern standard for web security.
OIDC Client Config (Conceptual JSON)
Section titled “OIDC Client Config (Conceptual JSON)”{ "clientId": "sovereign-frontend-app", "publicClient": true, "protocol": "openid-connect", "redirectUris": ["https://app.sovereign.corp/*"], "webOrigins": ["https://app.sovereign.corp"], "attributes": { "pkce.code.challenge.method": "S256", "access.token.lifespan": "300" }, "defaultClientScopes": ["profile", "email", "roles"]}Client Implementation Guides
Section titled “Client Implementation Guides”Master the technical ceremonies of application integration and scope management.
PKCE Deep Dive
Understanding the 'Proof Key for Code Exchange' required for secure public clients.
SAML Assertions
Mapping Keycloak user attributes to the XML claims required by legacy SAML service providers.
Internal Client Scopes
Designing reusable scopes that can be shared across multiple applications in a realm.
Gateway Integration
Using Keycloak as the 'Sovereign Issuer' for tokens validated at your API Gateway.
Next Steps
Section titled “Next Steps”- Explore Keycloak Client Management Guide.
- Review OIDC Specification for technical details.
- Check Client Audit Logs for monitoring token issuance events.