[keycloak-user] Securing a REST API Along Side SAML

[Caleb McHenry]

I have a web app that makes REST calls to various servers (all of which I
have control of).
I have a requirement to secure my web app with SAML using keycloak (which I
have been able to do). Now I want to secure my REST APIs. After doing some
digging into the Keycloak docs and the mailing list it appears that I
should use the SAML assertion to get an OAtuh2 token (since it appears
using ECP is ill-advised). My understanding is that I cannot get a username
and it's roles from Keycloak by giving it a SAML assertion.

So does this mean I need to keep track of active sessions and the users and
roles they correspond to? This seems like a bad idea to me because it could
easily become out of sync with Keycloak.

I understand I can get the username and roles from the intial login
assertion, but I would think I would want my REST APIs to verify the
requester is who they say they are. Please correct me if I am over looking
or misunderstanding something. But if anyone has suggestions they would be
appreciated.

Thanks, Caleb