Would sb kindly please help me with this.
I am managing to have the fallowing flow with my Keycloak server. Steps on the order of execution are as below:
- OID - Authorization of a client application using grant type “code” (authentication of user via browser flow). done, OK.
- Viewing that particular user information via userinfo_endpoint using the access token obtained in step 1. done, OK.
- Viewing/Managing only that particular user’s credentials (i.e., deleting user password via rest api path “/…/user_id/credentials/cred_id”). Server returns 403 forbidden error.
I do not want to grant user, admin privileges like manage_users, but it is okay to grant them to the client application.
I do want to acquire access token via user authentication, not for example via grant_type=client_credentials.
Do you have any recommendation on the way I can configure the server for this purpose? Or any hint at all.