Normally we allow our users to authenticate to our REST API by OAUTH2 - sending
username/password and getting
Bearer token. Now we are thinking of using Keycloak as our Authentication Server with Identity Providers configured for external customers.
We have SSO scenario working for clients that use the browser app - they are redirected to their IdP, login, we get the code, exchange it for token - just as the documentation describes - works nicely.
When it comes to REST API.
For non-IdP users (internal ones) we are ok with direct grant flow for REST-API access, but IdP ones - they shouldn’t pass us username and password, so we can’t do the same.
What are the options to allow IdP users access our REST-API (without being redirected to the browser login page)?
We are considering:
- creating client per IdP to access REST API (but this would mean individual IdP users wouldn’t be able to access it)
- IdP user would login on the IdP server and send the obtained JWT token to our REST-API, we would validate it and login the user to our system
Any best practices or other options?