Pattern for granting a new client access to a user's resources

Today I have a single public client used by the web GUI. When end users create resources via the GUI, the backend associates the token’s sub to the resources so that I know who owns the resources. I don’t use scope- or resource-based permissions.

Now let’s say end user Sally wants to access her resources via the API. My understanding is that a new (bearer only?) client should be created for Sally specifically for this case.

How should I indicate to my resource server that this new client has rights to Sally’s resources?

I see the following options, which do you recommend?

  • Start using Keycloak’s resource-based permissions and policies This seems like a lot of work but probably provides the most flexibility. My resource server is PHP and there are no client adapters, meaning I have to code all the API REST calls myself :frowning:
  • Create a Keycloak group (or role?) for each logical resource owner and place Sally and the new client into that group. Modify the backend to start using these new groups.
  • Just hack the backend so that I retrieve Sally’s resources when the new client requests them.

Have I missed anything? Thanks in advance for your feedback!

P.S. I foresee a future where my application will need to be “multi-user” in the sense that a company will contract my service and require multiple users. Today this doesn’t work.