What does Keycloak Java Adapter property "public-client" mean?

Question

According to Keycloak documentation, the Java Adapter has property named public-client described as

If set to true, the adapter will not send credentials for the client to Keycloak

What does this "will not send credentials to Keycloak" actually mean?

Answer 1

In Keycloak you can set a client to be public or confidential (or bearer-only):

From the OAuth 2.0 one can read:

OAuth defines two types of clients: confidential clients and public clients.

Confidential clients are applications that are able to securely authenticate with the authorization server, for example being able to keep their registered client secret safe.

Public clients are unable to use registered client secrets, such as applications running in a browser or on a mobile device.

And in more detail from source one can read:

According to the OAuth 2.0 spec, applications can be classified as either confidential or public. The main difference relates to whether or not the application is able to hold credentials (such as a client ID and secret) securely. This affects the type of authentication the applications can use.

Confidential applications can hold credentials in a secure way without exposing them to unauthorized parties.

If the client is confidential, then it will contain a client secret:

What does this "will not send credentials to Keycloak"

In means that in the requests that client secret will not be sent.