Authenticating between realms


I’m looking for some advice on the best way to authenticate one Node JS service with another that uses a different realm.

We have multiple Angular applications and NodeJS services that use Keycloak tokens for authentication. Some of our apps/services use a “Public” realm for authentication that has registration enabled, and others use a “Private” realm that have a specific set of users and has access to more services.

This works pretty well until one of our Public services has to talk to a Private service. Since the public realm token wasn’t issued by the ‘Private’ realm, the Keycloak Node.js adapter on the private service will throw a invalid token (wrong ISS) error when validating the public token.

Will our public service have to constantly retrieve/refresh a “private” token using some sort of service account? Or is there a better way?