Allow API login through REST API for IdP users

Normally we allow our users to authenticate to our REST API by OAUTH2 - sending username/password and getting Bearer token. Now we are thinking of using Keycloak as our Authentication Server with Identity Providers configured for external customers.
We have SSO scenario working for clients that use the browser app - they are redirected to their IdP, login, we get the code, exchange it for token - just as the documentation describes - works nicely.

When it comes to REST API.
For non-IdP users (internal ones) we are ok with direct grant flow for REST-API access, but IdP ones - they shouldn’t pass us username and password, so we can’t do the same.
What are the options to allow IdP users access our REST-API (without being redirected to the browser login page)?

We are considering:

  • creating client per IdP to access REST API (but this would mean individual IdP users wouldn’t be able to access it)
  • IdP user would login on the IdP server and send the obtained JWT token to our REST-API, we would validate it and login the user to our system

Any best practices or other options?

1 Like

aww yesss, we have come across this question as well. My current plan is to have multiple api clients per user… but as our users grow that number could become very large indeed!

It feels like I am missing something obvious here.