[keycloak-user] validating an access token from an external service with a public client

[Rafael Chaves]

Hi,

Keycloak/OAuth newbie here, possibly asking a silly question. This is the
architecture we have:

1) a web application, with authentication done via keycloak
2) an external service (REST API) that is invoked by the application above

In that external service, I would like to implement a simple mechanism that
allowed me to ensure the requests received are made by a valid user in that
web application. We do not necessarily care about obtaining user
information at this point (or permissions).

The initial idea is that the web application would pass, in every
request to the external service,  an access token generated by Keycloak.
The external service would then ensure that then token is indeed valid,
which we assume involves accessing the Keycloak server (that would be fine).

We looked into the entitlement API and that was pretty close (one legged
verification), but it seemed to require the "Authorization Enabled" toggle
to be ON in the client configuration. We do not understand the entire
impact of enabling that configuration. But we noticed that at least the
client is then required to use a secret to work, which the web applications
currently does not use. Can that change be avoided, and are there other
impacts?

BTW, we are using Keycloak 3.3.0.Final.

Thank you,

Rafael