Authenticating between realms


I’m looking for some advice on the best way to authenticate one Node JS service with another that uses a different realm.

We have multiple Angular applications and NodeJS services that use Keycloak tokens for authentication. Some of our apps/services use a “Public” realm for authentication that has registration enabled, and others use a “Private” realm that have a specific set of users and has access to more services.

This works pretty well until one of our Public services has to talk to a Private service. Since the public realm token wasn’t issued by the ‘Private’ realm, the Keycloak Node.js adapter on the private service will throw a invalid token (wrong ISS) error when validating the public token.

Will our public service have to constantly retrieve/refresh a “private” token using some sort of service account? Or is there a better way?


I believe have a similar setup, I am having a hard time envisioning all the issues I may encounter. I have a client in a public realm with IdP A, and I have a client in a private realm with IdP B. They are in different realms well because it was thought to be preferred so we will go with that for now. Both of these clients connect to the same back-end, protected by a different (3rd) keycloak client. I am thinking of creating a different client for the back-end in each realm hoping that there is something about the token that identifies where it came from and I can look for the appropriate roles.

Not sure if this is all a sound way to do it.