Hi,

how would one configure Keycloak to obtain following scenario's?

Scenario 1:

client A: public (angular app)
client B: bearer-only (microservice)
client C: bearer-only (microservice)

- microservice B is allowed to call microservice C, but an authenticated user in the js app A should be forbidden to call microservice C directly.

Scenario 2:

client A: public (angular app)
client B: confidential (1 war with a REST service AND a JSF application, both using the same EJB business layer which is accessing microservice C)
client C: bearer-only (microservice)

- a user authenticated in the angular app can use the REST service of app B and will see the results of microservice C, but the user may not call microservice C directly
- a user authenticated in the JSF application will see the results of microservice C when using the JSF application, but should not be able to use microservice C directly (if the user would reuse the same access_token)
- should there be different roles for the REST part and the JSF part of app B (for accessing microservice C)?

Kind regards,
Dirk