I am currently using Keycloak in a Java application. Is there a security risk to using a Service Account for all of our Keycloak interactions?
An example of how it would work:
Let’s consider an Administrator account, without any realm-management roles.
The Administrator enters the application and wants to delete a user. Instead of verifying his realm-management roles from his token, we just check that he has the Administrator role and then proceed to delete the user using the Service Account (which has realm-management access).
As long as I verify the user’s role beforehand, is it safe to use the Service Account for all realm management operations?