I’ve been evaluating the “Direct Access Grants” functionality of Keycloak. Overall, I think I can make it work for my use cases, but I do have a couple of concerns.
Chapter 12 of the documentation compares Keycloak’s Direct Access Grants functionality to OAuth2’s “Resource Owner Password Credentials Grant.” However, if I understand the specification correctly, this grant type is only for using the resource owner’s credentials. What if we can’t authorize using the resource owner credentials, but need to authorize the client itself using the client id and secret alone? For this, we need support for the “Client Credentials Grant”. Is this planned for Keycloak 1.0?
By adding the required “grant_type” parameter to the “tokens/grants/access” service endpoint, it seems like both the “password” and “client_credentials” could be supported, with the “client_credentials” grant type simply not requiring the username and password form parameters in the POST. Thoughts on this?