Reputation: 3643
How to combine bearer-only and client_credentials in Keycloak?
I have a backend API server which was initially bearer-only mode which is accepting token from FE. Now, there's a need for the server to call another service in the same keycloak realm which grant type is usually client_credentials.
User -> FE server --(bearer only)--> BE server --(client credential)--> Other service
The question is, how to combine bearer-only and client credential in the BE server? Do I have to define 2 clients in the Keycloak realm for the same BE (one is bearer only, the other one is client credentials).
Upvotes: 0
Views: 1584
Answers (1)
Reputation: 2755
We have solved this with two separate clients in Keycloak
Client #1 (token is generated from SPA client and used for Bearer Auth)
- Access Type: Public
Client #2 (for server to server)
- Access Type: Confidential
- Service Accounts: On
- On the Service Account Roles Tab: define which roles that token will get
EDIT:
On the spring side, you just need to reference Client #2 when setting up your keycloak AdapterDeploymentContext in your security config class. That is because any token generated by Client #1 or Client #2 will be a SSO token and your spring backend will point back to the realm for token verification.
Upvotes: 2
Related Questions
- Setting up keycloak bearer-only client with https keycloak server
- Keycloak Springboot multiple clients
- Spring Boot Keycloak Client Credentials in request body
- Spring Security + Keycloak: Accept Bearer Token
- How to configure bearer-only = true when Using spring-boot-starter-oauth2-client
- Keycloak spring security client credential grant
- OAuth2 client credentials flow via Spring Boot Keycloak integration
- Problem calling a "bearer-only" keycloak endpoint from a springboot (client app) to a also spring boot (bearer only app)
- Keycloak Bear-Only Client with and without Authorization Client Secret
- Spring Keycloak Bearer only