Clients in Keycloak are applications that interact with it for authentication and authorization. Adding a new client in Keycloak is letting it manage all clients that will connect to it, according to which protocol, which standard authentication and authorization. In this tutorial, I will show you how to add a new client in Keycloak with basic information.
First, you need to log in to the realm you want to add a new client for, as follows:
then on the left menu, click on the menu item Clients.
To add a new client, click the Create button on this page. An Add Client page will display the following:
You can use a .json file, which defines the information about the client in Keycloak format, to import information about the client using the Import selection box. Or fill in the client manually using the Client ID, Client Protocol, Root URL (optional) fields.
In the Client Protocol field, we have 2 protocols that Keycloak supports: OpenID Connect (an extension of the OAuth standard) and SAML (Security Assertion Markup Language), depending on your purpose that you choose to be reasonable! We can also change the protocol that we will use for our application after we have created it in Keycloak.
Assuming I now have an Angular application called angular-test, I want to use Keycloak to manage authentication and authorization according to the OAuth2 standard. To declare this Angular application on Keycloak, I will fill its information manually as follows:
Click the Save button, you will see a message showing us that the new client has been successful. Depending on which protocol you use for your application, we need to declare additional information regarding the protocol. Here, I am using the OpenID Connect protocol for my application, so after creating the client, you will see the following page:
By default, Keycloak supports creating a new client according to the authorization code grant type of OAuth2, so you can see that the Standard Flow Enabled field is ON and the Valid Redirect URIs field is required. For Angular application, you can configure locally for field Valid Redirect URIs as follows:
There are many fields that we can configure for a client’s information.
We can enable or disable this client using the Enabled field.
Because in the authorization code grant type, after the user logs in, the grant access consent screen will be displayed, you can turn on or turn off this consent screen with the Consent Required field.
We can change the theme for the user’s login page using the Login Theme field.
Access Type we can choose Public, Credential, and Bearer-only. For Single Page Applications like Angular app, we will use Public Access Type so there is no need to configure Client Secret.
Keycloak also supports Implicit Flow (field Implicit Flow Enabled) and Resource Owner Password Credentials (field Direct Access Grants Enabled) of OAuth 2. Click to ON if you want your client to support these grant types!
For grant type Client Credentials, you must select Access Type as Credential then the configuration for this grant type will be displayed, through the Service Accounts Enabled field:
And of course, Keycloak also supports the Device Code grant type as you can see in the image above. To enable this grant type, select ON in the OAuth 2.0 Device Authorization Grant Enabled field.
As I said above, we can change the protocol that the client will use in the Client Protocol field. For example, if I choose SAML, you will see the following changes:
After configuring the information for the Client, please click the Save button to save those configurations!
In this tutorial, I only mentioned the basic information of a Client created in Keycloak, there are many other information and configurations. Depending on your needs, please learn more!