keycloak-ui VS angular-spa-sample

Yes, but I expect more issues to come. Especially due to the removal of the old admin-console there might be some strange behavior with existing client / realm configurations where the new admin-console works a bit different then the old one..., e.g.: https://github.com/keycloak/keycloak-ui/issues/4450 and many more...

In Keycloak 19 there is a bug in interface that does not allow opening settings for authenticators. Refer to this issue.

We're actually working on a new version of the Administration UI at the moment (I'm one of the devs) so this is useful feedback. We're looking for folks to try it out, so take a look at https://github.com/keycloak/keycloak-admin-ui/.

You can try it out on the latest Keycloak by passing the --features=admin2 flag on startup.

I had to use keycloak in the past as the authentication service for a work app. Keycloak you can pull the docker image and start it up fairly easy. The UI is built in React with Typescript here https://github.com/keycloak/keycloak-admin-ui.

There is a document meant for best practices for browser-based apps such as SPA/PWA, which includes use of code flow.

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-brows...

(disclaimer - co-author)

The catch is that since the client web origin and AS web origin are often different sites, the AS has to actually implement CORS on their token endpoint.

Some implementations unfortunately (perhaps due to a misunderstanding about what CORS is meant to accomplish) make this a per-tenant/per-installation allowlist of origins on the AS.

Auth0 and Ping Identity (my employer) document CORS settings for products. I'm not sure about AWS and you might need to add CORS via API gateway. Azure AD supports CORS for the token endpoint, but they may limit domains in some manner (such as redirect uri of registered clients).

FWIW, I created a demo ages ago (at https://github.com/pingidentity/angular-spa-sample), which by default is configured to target Google for OpenID Connect and uses localhost for local development/testing. It hasn't aged particularly well in terms of library choices, but I do keep it running.

A deployment based on older Angular is also at https://angular-appauth.herokuapp.com to try - IIRC I used a node server just to deal with wildcard path resolution of the index file, but there's otherwise no local logic.

oh well you alrady have a provider then! here is the boilerplate to integrate with ping https://github.com/pingidentity/angular-spa-sample