Hi Everyone. I am trying to secure my API gateway service written in NodeJS and web app UI written in React using Keycloak authentication and authorization service, both these are just the two sides of a single coin, but I am not able to figure it out on how can I do so.
I tried following the below pattern:
- I created a realm and a client for my Node app in that realm.
- I then added some resources and scope in my client.
- In order to make the resource and scope authorization mechanism, I restrict the access type to my realm as “Confidential”.
Now this works fine as I can hit the token endpoint via the API server and get the auth tokens, permission token which includes scope and I am able to authorize a person.
Now, I want to enable the same API authorization via the tokens I get by logging into the web app written in React, which is also having Google OAuth Signup support. if this was username/password only flow, then there was no problem, because I could then directly generate access token using username/password and client_secret of the client for my NodeJS App, and use the same client for both the applications.
Since, I also require Google OAuth support, I added another client in the same realm (because of access type was required to be “public” in order to normal user to log into the app), and configured the Google Identity Provider in Keycloak. In order to able to access keycloak via the new client, I made the client as public, and got the authentication part sorted. Now I am able to authenticate using the keycloak.
The only thing remaining is how do I now authorize access to the resources, and scope that I created in the another client. Ultimately, my main goal is to obtain the permissions token for NodeJS client using the access token that I now have for my React App Client.
If someone know about a way in which I can generate what I am looking for, that would be of great help, as I am not able to wrap my head around this situation.
Thank you in advance.