[keycloak-user] how to get a token in js webapp for bearer-only backend api client

[chapani]

Hi,

I got this setup for my app:

1. Keycloak server
2. Keycloak-protected nodejs backend (bearer-only)
3. PHP/Reactjs frontend

The frontend is optionally login-protected. For some users it will be required to login which will redirect the user to Keycloak server. After a user is logged in, the frontend will have a bearer token to make api calls to the keycloak-protected backend.

My problem is how to get a bearer token for users that don't need to be logged in (anonymous users).

I tried this approach:

1. Created "confidential" client to be used by PHP.
2. Frontend PHP gets a bearer token using client_id and client_secret and passes them to javascript (by that I mean, printing out token values inside <script> tag which is a global variable)
3. Initially, the frontend makes successful api calls because the access_token passed by php is fresh/valid.
4. After the access_token is expired, I will need to fetch a new one using refresh_token.
5. But, for that I need client_secret which is not available in the js app (and it's not recommended to save client_secret and password in js app, as you know).

I'm stuck here. I researched, read a lot of documentation, but failed to find a way to achieve that.

One other idea that crossed my mind was to make the bearer access_token long-lived; 6 hours, for instance. But, some users may use the app for more than that.

What options do I have?

Sent with [ProtonMail](https://protonmail.com) Secure Email.