Client Registration

Clients and why we need one

To use the IDP Kits functionality, we need a client and collect client_id and client_secret. Those credentials will be used by Keycloak to make requests to the IDP Kit, which will in turn ask the user if they want to sign in and check if they are allowed to do so, based on the NFTs they hold in their wallet. After collecting the consent of the user and validating that they are allowed to log in, the IDP Kit will give Keycloak a secret with which it can request information about the authenticated the user.

The exchange of information between the client, which is in our case Keycloak and the authorization server which is the IDP Kit are based on the OpenID Connect standards. I won't go into more detail here, but you can learn more about it in the concept section or watch this great illustrative video from OktaDev, which gives a great overview about OpenID Connect. To understand how the base ideas are then translated to the NFT use case, you can dive into Identity provision via NFTs

Client registration

Now that we know what we need and why we need it, let's go ahead and create our first client. Depending on the situation and personal preference, there are two options available: CLI tool, API.

Register client

To register a new client, we can use the clients register command provided under the OIDC scope of the CLI tool.

idpkit config --oidc clients register -n "myFrontend" -r "http://localhost:8001/realms/NFT/broker/nft/endpoint"

Parameter description

  • -n - Name of the client

  • -r - The redirect URL which should be used in the OIDC flow

Other Options:

  • --all-redirect-uris - Redirect can go to any URL specified in the OIDC flow requests

Why we set a redirect URL?

If we set a redirect URL we can make sure that no other party will be able to use our authentication flow, even if they would get access to our secrets. For our project we set the URL http://localhost:8082/realms/NFT/broker/nft/endpoint as this is the location where Keycloak wants us to redirect the user to. Later if we were to put keycloak into production it would be something like https://{host}/realms/NFT/broker/nft/endpoint. In this case we would need to update our registerd client and reflect the new redirect URL.

Update client

To update an existing client, we can use the clients register command provided under the OIDC scope of the CLI tool and add the -u flag to note that we want to change a client with the specified id.

idpkit config --oidc clients register -n "myFrontend" -r "https://applicationName.com" -u "client_id"

Parameter description

  • -n - Name of the client

  • -r - The redirect URL which should be used in the OIDC flow

  • -u - The ID of the client we would like to update

Learn more CLI tool commands and options.

Last updated