Is Keycloak suitable for server to server authentication

rushang7 · July 5, 2021, 8:24am

I am working on a project which will mostly do server to server communication. The Auth 'n Auth will be very similar to AWS, where the user will logs in once and generates client id and secret key. We can use Keycloak when the human user logs in to get the credentials.
But I am not clear on how the subsequent request from the server using those credentials(client-id and secret key) would be verified by Keycloak?
Is Keycloak suitable in this scenario?

jangaraj · July 5, 2021, 7:26pm

Client credentials flow is for the machine to machine authentication (your server to server).

rushang7 · July 6, 2021, 6:38am

Thanks, @jangaraj.
As you suggested, I tried the client credentials flow. I have a few follow up queries:

With this flow, the client will have first to fetch the access token and use it in the subsequent requests. And if the access token has expired, fetch a new one. As Keycloak is widely used, I think there would be libraries executing this logic. If you know of any such library, could you please share it?
If we follow this approach, then we need to create new clients dynamically. Is it okay to create new clients for every new user? Up until now, my understanding was that (in a microservice-based architecture) we would create a client for each service.

jangaraj · July 6, 2021, 8:33am

1.) see Libraries, Products, and Tools | OpenID - used library really doesn’t need to have a “keycloak” in the name - OIDC is a standard, so use any library which implements OIDC properly with desired flow
2.) It sounds like you don’t have machine to machine use case when you are mentioning users now. So incorrect question gives you incorrect answer. So Client credentials flow may not be a correct choice for your use case.

rushang7 · July 7, 2021, 5:05am

@jangaraj Thanks for sharing the OIDC resources.

Let me clarify the use case with an example.
Let’s say we want to secure AWS S3(or any such service). I first log in to the AWS console and create a client-id and secret-key pair to access a given instance of S3. Then, I will configure those credentials in my microservice.
In this scenario, my microservice(machine) is establishing the connection with S3. It is a machine to machine channel. A human user is involved just to create and configure the credentials.

In this scenario, are the external machines Users or Clients from Keycloak’s perspective? And, how can we establish this set-up in Keycloak?

selfuppen · February 10, 2022, 3:13am

Hi，I’m facing the same case.
Is there any good approach you have found ?

Topic		Replies	Views
Creating API token for server-to-server requests Getting advice	2	1683	February 1, 2020
Using Keycloak to secure human as well as machine actors Getting advice	3	1664	July 15, 2021
Machine 2 Machine authentication Securing applications	8	11113	February 8, 2021
Client types in Keycloak Getting advice client-configuration , oidc	0	813	July 21, 2022
How do you use keycloak for providing authentication? Getting advice authentication	3	512	March 27, 2024

Is Keycloak suitable for server to server authentication

Related topics