keycloak with oauth2 client credential grant for authenticate external clients(services/applications) to my public API

As I understand it, oauth2 client credential grant type should be used in a case where some client app/service needs access to some resource without user interaction.

This sounds good also in a case where the client is an external client and the resource service is a public API service.

Please correct me if I’m wrong, or if there is a “better” or more “standard” way.

I’m trying to find some resource that explains how to use keycloak for such case, but the only one I found is this stack-overflow answer.

As I understand, I need to create a client for my Public API service with “Service Accounts Enabled: ON”. And a bearer-only client for each external client that want to access to the public API. Am I right?

Please advice, Thanks!

Yes, you are correct. Client credential grant with a confidential client with service accounts enabled is the right way to obtain tokens on-behalf of a service (non-human).

would there be any recomendation for a simple Java library that fetches the tokens?
I’m running on a simple Java (“void main”) application with picocli, and would like to get the service account tokens, and then use them to access my resource server…
I’ve been searching for days on an easy way to do this, but all solutions are integrated on some kind of framework… haven’t found a simple one yet.
I’m now trying pac4j, but it’s feeling like another dead end…

Thanks for any help.