Hi,
how would one configure Keycloak to obtain following scenario's?
Scenario 1:
client A: public (angular app)
client B: bearer-only (microservice)
client C: bearer-only (microservice)
- microservice B is allowed to call microservice C, but an authenticated user in the js app A should be forbidden to call microservice C directly.
Scenario 2:
client A: public (angular app)
client B: confidential (1 war with a REST service AND a JSF application, both using the same EJB business layer which is accessing microservice C)
client C: bearer-only (microservice)
- a user authenticated in the angular app can use the REST service of app B and will see the results of microservice C, but the user may not call microservice C directly
- a user authenticated in the JSF application will see the results of microservice C when using the JSF application, but should not be able to use microservice C directly (if the user would reuse the same access_token)
- should there be different roles for the REST part and the JSF part of app B (for accessing microservice C)?
Kind regards,
Dirk