I new to keycloak and oauth2 and I need your help.
I'm planning to develop a public API so my customers client applications/serivces could perform some actions in the system without human interaction. Therfore I need to let them a way to authenticate to the API with a "service-account" and an "API key".
I found that the "oauth2 way" to do it called "2-legged" and it's actually the client credential grant type.
I'm trying to understand how to configure keycloak to achive that. I found the following stack-overflow answer, but the author of the answer wrote in a comment "I haven't worked with Keycloak in a while though, so this approach might be out of date."
As I understand the answer, I need to create a client for each external client with the following configuration:
- Access Type: confidential
- Standard Flow Enabled: OFF
- Direct Access Grants Enabled: OFF
- Service Accounts Enabled: ON
And I need to configure some Scope. Which I don't completely understand.
The external client will get the credentials(client id and a secret) belongs to his specific client. And in order to perform requests against the public API he will ask keycloak for a valid token and then send the requests with that token to my public API.
My questions are:
Is this is the right way to do it using keycloak?
Is it possible to configure keycloak in a way that each external client will be configured as a user and not as a client in keycloak but still support in client credential grant type?
How my public API can validate the token? I must send a request to keycloak to validate the token? or I can validate it with some certificate?
Please advice, Thanks!
