How to configure keycloak with react and rails backend

Question

I am currently working on integrating Keycloak with a React front-end and a Ruby on Rails back-end. To adhere to best practices, I have set up two separate clients in Keycloak: one configured as public for the front-end and another as private for the back-end. This approach is recommended in the following discussion: https://keycloak.discourse.group/t/keycloak-js-client-and-confidential-clients/10063/9. Although using Bearer-only mode is not possible, I have chosen the private mode for enhanced security.

In each client, I defined the necessary roles. Using react-oidc-context(https://github.com/authts/react-oidc-context), I successfully established a connection between my front-end and the Keycloak front-end client.

const oidcConfig = {
  authority: "http://localhost:8080/realms/SecondRealm",
  client_id: "localApp-frontend",
  redirect_uri: "http://localhost:3000/"
}

Up to this point, I have learned that I should send my token as 'bearer-only' to my back-end. However, a challenge arises as I cannot fully trust it since it is not signed by any private key (keeping in mind that I am using a public client for the front-end). As a solution, I am contemplating the need to invoke the Keycloak back-end client to obtain a signed token that I can subsequently trust.

Here start my hypothesis:

I think that a good option at this point may be to use omniauth with keycloak-strategy. If I implement this :

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :keycloak_openid, 'localAppBackend', Rails.application.credentials.keycloak_secret,
    client_options: {base_url: '', site: 'http://localhost:8080', realm: 'SecondRealm'},
    name: 'keycloak'
end

Then I modify my routes:

  get 'auth/:provider/callback', to: 'sessions#create'
  get '/login', to: 'sessions#new'

and implement my session_controller as described in omniauth official documentation:

class SessionsController < ApplicationController
  def new
    render :new
  end

  def create
    user_info = request.env['omniauth.auth']
    raise user_info # Your own session management should be placed here.
  end
end

But at this point, my challenge lies in how to make a call to this back-end client and how to identify which user is attempting to access my resource.

This uncertainty has led me to question whether this is the optimal solution. Is there a way to send the roles of the back-end client signed when a user signs in with the Keycloak front-end client?