Hi Everyone,
We have a setup where our Web UI application (Angular SPA) is hosted in AKS and uses MSAL with Azure AD B2C. This flow works correctly when using only B2C.
Recently, we integrated Keycloak as an identity provider into Azure AD B2C (OIDC). For this integration, Azure B2C requires us to register Keycloak’s redirect/redirect callback URL as a Web platform in the Azure B2C App Registration. When we do this, Azure AD B2C treats the whole application as a confidential client, and it begins expecting a client secret. This breaks our SPA flow, because the main application uses the SPA (public client) platform and should not require any secret.
Current configuration:
-
Web UI App → registered as SPA in B2C (works fine)
-
Keycloak IdP callback URL → must be added as Web in B2C (forces confidential grant)
-
B2C now treats the entire app registration as confidential, which causes MSAL to expect a client secret even though the main app is SPA-based.
Is there any way to add the Keycloak OIDC endpoint / redirect URI to Azure AD B2C as an SPA platform instead of Web, so that:
-
Keycloak integration works, and
-
The B2C application continues to behave as a public client (no client secret) for our SPA?
Or is there an alternative recommended approach to avoid B2C treating the entire app registration as a confidential client after adding Keycloak?
Any guidance on how to properly configure Azure B2C + Keycloak without forcing a confidential client for an SPA would be greatly appreciated.
Thanks!