I have the following setup: First, a single page application (let’s say an angular app) that shows some user information (e-mail, name). Second, a backend service (e.g. spring boot) that allows or denies access to users based on fine grained permissions NOT only roles.
In order to have fine grained permission support I want to use the authorization concept that Keycloak defines (that defines resources, scopes, polices and permissions). To use this feature the client has to be confidential. However, the frontend has to be a public client, since it is a single page application.
Do i need two clients (public for the frontend and confidential for the backend)? After having fetched the token in the frontend (public client), how do i get the corresponding permissions of that user in the backend service? Obviously, the user shouldn’t have to log-in again.
Maybe someone can help me with the security concept for my architecture. Which flows should I use and what clients do i have to define?