I have a SPA (Vue.js) that communicates via REST with a Quarkus Resource API . I am using my own Keycloak for Authentication/Authorization .
I would like to protect my REST Endpoints with Roles so that only an admin can call my /admin endpoint.
I would also like to debug my backend application with Postman.
I have two clients (frontend & backend) in Keycloak in order to achieve this:
Client ID: frontend-client:
Access Type: public,
Standard Flow enabled
Client ID: backend-client:
Access Type confidential,
Service Accounts Enabled
Now my question: Do I really need two clients in KC? It seems to work just fine like this.
The client is authenticated by the frontend-client and then sends the obtained token to my API (which knows the URL to my Keycloak).
Following this guide I tried with a confidential client and a secret, but I don’t see the point of doing so
Any help is appreciated.