[keycloak-user] Authenticating non-interactive users

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, I'm assisting on a project that is about to implement Keycloak for user auth. They also need to authenticate/authorize non-interactive users (as in: nodes talking to a server) and are considering using Keycloak for that as well. My first thought was to use OAuth, performing the initial OAuth flow during the first boot of the server and then publishing the refresh token to the nodes, so that they can get bearer tokens whenever they need to talk to the server. While the above works in my PoC, it's not ideal: - - there has to be an unprotected resource, so that the node can get the refresh token - - the refresh token is related to the admin that first installed the server - - related to the above: auditing is harder, as the requests were appear to come from said admin - - node and server are the same application from the user's perspective, so, it makes no sense to have an "OAuth client" and an "Application" on Keycloak. - - having an extra code for the initial OAuth flow seems a bit counter productive There are some examples where part of this scenario could be covered, like the "KeycloakInstalled" from the integration project, but it also doesn't seems to quite fit into this. So, my questions would be: - - Would there be a better solution based on the latest Keycloak? - - If not, is this scenario something that would be interesting implementing? The advantage I see in having this implemented on Keycloak instead of baking a new solution is that the application wouldn't need to care if the request is coming from a non-interactive user or a real user, as long as the proper roles are set. Also, having one single auth mechanism for both non-interactive and interactive users is far better than mixing mechanisms based on the path. Juca.