I’m looking for best practice advice to approach this use case:
2 separate keycloak instances, 1 resource server protected by one of them.
“Keycloak-east” has a client “resources-east” (authorization services enabled, using UMA2). Resources, scopes, policies, permissions defined there.
“Keycloak-west” has a client/service-account “west-client”.
I want “west-client” to be able to access resources in keycloak-east.resources-east’s arsenal.
The challenge is that “west-client” does not exist in keycloak-east, so off the bat, it can only obtain tokens from keycloak-west.
For an end user, browser flow, it’s simply solved by adding a keycloak.west identity provider in keycloak.east. Allowing end users from Keycloak.west to be authenticated in west, but accepted/shadowed/mapped/granted local privileges in west.
But I can’t seem to find a standard way to do that with service accounts (“client credentials” flow). Looking in oauth2/openidconnect/keycloak docs to find the right flow so I don’t have to get crafty and unavoidably create something insecure.