Multiple applications authentication with keycloak

Hello all,
I would like your advise. Currently a custom provider has been implemented with keycloak 21.1.2 for talking to a database. A realm has been created for the users of the company.

Different applications will have access to the same database.
As i have seen, it is recommended to have separate clients (client_id_application_A and client_id_application_A) for each application.

Use case:
Application A creates an access token with scope “openid profile”. Application A calls application B. When the token is generated via the endpoint (realms/{realmName}/protocol/openid-connect/auth) one client_id should be provided. In this case, what is the best approach? Should we have a client per application? How is the best way to generated the token for application A and application B? Should be generated one access token per application?

Thank you in advance!

First of all, I recommend that you describe the use case with the implemented standards and components in the authorization architecture.
The first part is authentication, so you are implementing OpenID Connect (OIDC). In this case, each application (client) has its own client id.
When you move to API protection, I assume that application B API is protected by OAuth 2.0 and is acting as an OAuth 2.0 Resource Server. You can use a single access token with a global audience or a single token that has multiple audiences, each representing a different API.

1 Like