Authenticate at backend service as the logged in user

My company is using Keycloak as a SSO solution for multiple applications.

Now, consider the following scenario. There are two applications, App and Service. Each of these is registered as a client within the same Keycloak realm. The user Alice* logs into App using the Browser Flow. To serve a use case for Alice, App needs to make calls to the RESTful API of Service .

Currently, App uses a technical user to authenticate itself at Service. Since the request to Service is done in the context of Alice, I would like to use Alice as the authenticating subject at Service.

Since App is in posession of a valid token for Alice, I think this should be possible.
Unfortunately, I could not manage to find out if and how this can be achieved with Keycloak. Could some one give me some pointers to the appropriate mechanism or an example?

Thanks in advance!

You can add a mapper of type “audience” to the client configuration of “App”. Then configure this mapper to add the client id of “Service” to the aud claim of the access tokens. This marks the access tokens of “App” as valid for usage with “Service”. “Service” of course should check the existence of this claim when validating the access token.

Cheers, Matthias