Is Keycloak suitable for server to server authentication

I am working on a project which will mostly do server to server communication. The Auth 'n Auth will be very similar to AWS, where the user will logs in once and generates client id and secret key. We can use Keycloak when the human user logs in to get the credentials.
But I am not clear on how the subsequent request from the server using those credentials(client-id and secret key) would be verified by Keycloak?
Is Keycloak suitable in this scenario?

1 Like

Client credentials flow is for the machine to machine authentication (your server to server).

Thanks, @jangaraj.
As you suggested, I tried the client credentials flow. I have a few follow up queries:

  1. With this flow, the client will have first to fetch the access token and use it in the subsequent requests. And if the access token has expired, fetch a new one. As Keycloak is widely used, I think there would be libraries executing this logic. If you know of any such library, could you please share it?
  2. If we follow this approach, then we need to create new clients dynamically. Is it okay to create new clients for every new user? Up until now, my understanding was that (in a microservice-based architecture) we would create a client for each service.

1.) see Libraries, Products, and Tools | OpenID - used library really doesn’t need to have a “keycloak” in the name - OIDC is a standard, so use any library which implements OIDC properly with desired flow
2.) It sounds like you don’t have machine to machine use case when you are mentioning users now. So incorrect question gives you incorrect answer. So Client credentials flow may not be a correct choice for your use case.

@jangaraj Thanks for sharing the OIDC resources.

Let me clarify the use case with an example.
Let’s say we want to secure AWS S3(or any such service). I first log in to the AWS console and create a client-id and secret-key pair to access a given instance of S3. Then, I will configure those credentials in my microservice.
In this scenario, my microservice(machine) is establishing the connection with S3. It is a machine to machine channel. A human user is involved just to create and configure the credentials.

In this scenario, are the external machines Users or Clients from Keycloak’s perspective? And, how can we establish this set-up in Keycloak?

1 Like

Hi,I’m facing the same case.
Is there any good approach you have found ? :smiley: