I'm new to security and I'm trying to understand how to implement proper security without any overkill.
Below are my questions.
What about controlling the origin of the requests on your resource-server (CORS configuration)? That is not specific to OAuth2 (yet compatible) and aims at just that: filtering which origins (host + port) can access which resource location (URL).
There is a notion of confidential client in Keycloak where the client must provide a password in addition to client-id to exchange authorization codes for access-tokens, but this does not apply to client running on devices you cannot trust (Angular, Vue, React, native mobile apps, etc.): code can be reversed enginereed to read that password.
OAuth2 comes with much more than just easing multi-client scenarios. You should read this article for a refresher on
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.