Minio's web application is a single apge application.
As far as I can tell it is frontend only and works like a single page application.
That is why when setting up the the client for minio on keycloak.
implicit flow to True.
In that case there is no authorization code - and no client secret.
After auth the access token is sent to minio on the front channel. Still need to verify this happens in querystring.
Implicit flow was designed for frontend only single page applications and hence no back channel request can be made.
The client does not go through the extra backchannel step of echanging the authorization code for the access token by authenticating with the client id.