I have a keycloak installation and I have configured User federation so that it uses my database to query the users.
Now I have a /login endpoint which accepts username and password in the POST body and it basically uses ROPC under the hood to get the access token and once token is received, I am using my own login and my own db to get the roles and creating the JWT and returning it back.
Now all my apis require this JWT as Authorization Header (which is already taken care because I have added filters in spring security chain and have my own token verification logic as well).
Now since ROPC is deprecated, my doubt is what should i use.
Some suggested to use client credential flow + keycloak admin api to validate the credential but how it is more secure than the ROPC.
You should split the question into multiple parts. First of all, I recommend following the standards.
Authentication is based on OpenID Connect. Therefore, the first decision you need to make is whether you are authenticating a user or an app/machine. Based on your comments, you are implementing ROPC (Resource Owner Password Credentials), which means you are authenticating a user. In contrast, the client credentials flow is not an option in this case because it is used for authenticating an app/machine.
ROPC is not recommended (and is considered deprecated) because, in an API-based authentication approach, the application has direct access to user credentials—in this case, the password. Therefore, you should generally transition to a browser-based approach using the traditional redirect model with either the authorization code flow or authorization code + PKCE, depending on the type of application
When moving to authorization, we are now talking about OAuth 2.0. Your API, protected by OAuth, acts as a Resource Server and requires a valid access token for access. This access token (which could be a JWT or opaque) is sent in the Authorization header.
Spring Boot with Spring Security provides built-in support for OIDC and OAuth 2.0. With just a few clicks, you’re good to go.
Hope this helps.