we’re evaluating keycloak among other solutions and while the browser/app flow when the user has to login is quite clear, I’m trying to understand if it allows to generate API tokens for server-to-server requests.
What I think would be great is do what AWS does to have users sign ther requests:
- have public/private tokens per user (even multiple ones)
- token don’t have an expiration
- requests can be be signed so can be generated on a server and used by anonymous users in a browser
I don’t think from my low knowledge of OpenID/Oauth that those can provide such approach for API calls. So my question is, can keycloak support such scenario? What’s the OpenID/Oauth way of dealing with server-to-server API calls?
Mentioned AWS key is not intended for server-to-server requests - you are still working with user (not machine) identity, so it isn’t good example.
OIDC provides Client Credentials flow, which you can use for server-to-server communication. It gives you service account identity and it is still standard OIDC token (= stateless verification, expiration, …).
Thanks for helping, so if I want to give an user an API key+secret I have to programmatically create a client and give him the client/secret to make API calls? Don’t do they still have to go through the authorization server (I’m just looking online at the OIDC flow)?
By server-to-server I mean API request on behalf of an user, sorry if I used the wrong words, in that case, is there a better approach?