Use username/password of user to authorize and secure backend

Hi every body.

We have a back-end including some REST web services (resources) and some users want to call these secure web services.
Our users just have their username and passwords and client-id (and NOT client-secret).
First Solution:
We have to define a client per user (who wants to call our web services) and provide client-id/client-secret for user to authorize.
Second Solution
User need to authenticate with his own username/password and get a token.
Then use this token as bearer token to get an uma-ticket (rpt token).
Then use the second token(RPT token) to authorize and call resource server web services.
But this process is not so straightforward, cause of getting two token for call a web service.

Is there a better solution? l
Thanks to all.

Third Solution:
User will use username/password and Keycloak generates access token with user roles/groups and app authorizes (deny/allow) users based on the user roles/groups in the access token.

Good idea, but by using this solution, we have to introspect token ourselves in the server side and we do not want to do this.

No, you don’t have to introspect token (that is very lazy and naive implementation of some devs). You just need used realm key (which is download just once, when app is starting usually) and you are able to verify access token. See how https://github.com/louketo/louketo-proxy works.