Saw your session at JavaZone, so thought we could give KC a try :-)
Our frontend is just a consumer of our backend API (just like any other client), and I've successfully configured KC to use openid-connect/public for our frontend with keycloak.js, and openid-connect/bearer-only for our backend (API) in our test environment (sending the Authorization header with Bearer and keycloak.token to backend when doing ajax requests). This work like expected. Even written our own federation doing password validation from our user database.
But, a lot of our customers have integrated their application to our backend API, doing REST calls for issuing invoices, etc...)
Most other services that provides you with an API offers tokens that can be used for identification and authentication. And as far as I can see, this is offline tokens in KC.
So we want to have our users log in to our service with their browser, go to our "API key page" and create a new token to be used by the integrations (moving away from Basic auth).
I've created an offline token by hitting a keycloak protected html file and requested a resource with parameter ?scope=offline_access. I do see KC gives me a value back:
But there is no way I can use this for anything (and in KC it seems to be bound to our frontend application).
Why can't I use the admin rest api to say something like: give me an offline token for this user for this app?