Kong + OAuth2.0 + keyclock bearer only client

I have an internal service “A” which i want to expose to the world via kong api gateway.
I would like to use Oauth2 protocol.
Right now the flow is :

  1. User requests access token using “jwt signed with client_secret” (i need help to define the right client in keycloak for that)

  2. User requests the resource through Kong with the given access token without login (bearer-only option)

the reason i want to use keycloak is for future option to single sign on which right now i dont need.

the scheme of definitions in keycloak i think i should have :

one keycloak client with access type confidential to get access token (client credentials flow) also didn’t fully understand how to define it all there.

one keyclock client with access type bearer only for kong to get the resource with the given access token (not sure the connection between the 2 clients)

or maybe i should have only one client bearer-only for both? still having problems to define this client since i read that the option for jwt with secret isn’t available

i didn’t find any solution in the internet and different forums.

i mainly need the right architecture and definitions in keycloak for this problem.

Thanks a lot.