Client to client communication and authorization


I have a scenario, where services interact with each other without any (human) users involved.
I want my service to get feedback from keycloak, whether another client is authorized to access my resources.
For that I have two clients. My client defines resources, scopes, policies and permissions.
When I define roles in the roles tab of my client and try to use them I have the problem that I can’t evaluate the permission, because it seems to be mandatory to either set a user or realm role.
I also tried to evaluate the permission via the token endpoint. That works only as long as a user is involved, too. When I pass a token I got via the client credential grant keycloak answers with “Invalid resource” and says the resource doesn’t exist. Although it exists and the evaluation worked before (with a user). I set the role in the “Service Account Roles” tab of the other client and the role is written in the token I get.
Because this didn’t work I defined a realm role and assigned it to the service account. I get a similiar problem, but the realm role isn’t even in the client token (I also added the realm role mapper).

What do I make wrong here? Or is client to client communication not provided by Keycloak?

Thank you for your time.

Can be deleted.
I figured out that the client scope mappings were configured to not map the roles into the token. I guess there were some tests with the configuration.