I am configuring Keycloak to broker users from Azure AD, with the goal of centrally managing application access and user permissions through Keycloak.
Keycloak is up and running, and I have successfully created a realm and configured Azure AD as an Identity Provider. Using the Azure AD configuration URL, I was able to import the required settings. I have registered an Azure AD application and configured it as a client in Keycloak, with the client secret referenced as ${vault.ID}.
However, when accessing the application, authentication fails with the ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-31) Unexpected response from token endpoint https://login.microsoftonline.com/eeb/oauth2/v2.0/token. status=401, response={“error”:“invalid_client”,“error_description”:"AADSTS7000215: Invalid client secret provided. Since we are unable to request the client to provide or configure a client secret, I would like to understand:
-
What alternative approaches are available to use Keycloak without requiring a client secret?
-
Is it possible to register the Keycloak admin or broker URL as a Single-Page Application (SPA) in Azure AD for this use case?