Let’s assume we have an application that uses KeyCloak for authentication and exposes a set of APIs. To call one of these APIs, a client first has to obtain an access token from KeyCloak, and then pass this access token in the API call. But how does the client application authenticate to KeyCloak? The most common approach is to let the application use the OAuth client_credentials grant in combination with a client secret. That solves the authentication problem, but creates a new problem: We...
