[keycloak-user] FW: Access control and client setup

Hi I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but I can't seem to wrap my head around some things. We want to separate our APIs from the IAM. The sole purpose of Keycloak is to provide an identity and access token, primarily using the implicit flow. The client-side application (usually SPAs) uses the access token in all API calls and the resource server checks the signature of the access token but does not access Keycloak at all. Each backend has a few operations, and each operation gets its own "permission". For example one API can manage "items", so there are four permissions: - create:item - read:item - update:item - delete:item Is it best practice with Keycloak to model these permissions as scopes? And then use roles/permissions/policies to limit the scope of the user? The backend can then just decode the access token and read the granted scopes. Also, in a SPA + API set-up, do I create two clients in Keycloak, one for each? This is only useful when the API needs resource protection, right? I guess in my case I only need one client for the SPA because the API only needs the scope from the access token by decoding it. Thanks for any feedback Kind regards Dean