I am developing a microservice-based project that will have human users logging in the system as well as machines directly connecting with the microservices.
I will explain the scenario better with an example. Take, for example, AWS(or any cloud provider). Human users are logging into the system with username-password. These users generate access-key secret-key pair that will be used by the machines to communicate with AWS resources.
One of the approaches to configuring this in Keycloak is:
- Human Users: These will be configured as Users in Keycloak
- Machine to machine communication: Machines will be configured as Clients in Keycloak with Service Account Enabled.
With this approach, we will have to dynamically create new clients for every new machine(or pool of machines) connecting to the server. First of all, is it a problem at all or is it normal? As I have observed, typically, clients in Keycloak are either frontend channels or microservices(configured as a service account). Basically, clients are static and not dynamically added(based on my observation).
- Should we dynamically generate Clients in Keycloak?
- Alternate Approaches: Please share your ideas/approaches to secure the system described above.