[keycloak-user] Client Credentials flow for external applications

[Leslie C]

Hi!
We're looking into using Keycloak as our auth server for securing our REST APIs. The APIs are setup to only be accessed by a limited audience - all trusted external clients. We do not store or maintain user data, so I don't think the "resource owner" concept of OAuth2 applies in our scenario - so we'll be using the Client Credentials authentication flow. I found the following on StackOverflow and just wanted to know your thoughts on whether this is a valid and acceptable implementation of the flow in Keycloak: 
Issuing "API keys" using Keycloak

I finally found a solution that works well and seems to be "the Keycloak way" to issue credentials to external applications. To create a new set of credentials, add a new Keycloak client and change the following settings:
Standard Flow Enabled: OFFDirect Access Grants Enabled: OFFAccess Type: ConfidentialService Accounts Enabled: ONThe external application will use our newly created client's name as the client_id. The client_secret was generated automatically and can be found under the Credentials tab.
Granting Client Access to Your ServicesIf your Keycloak-protected services are configured to check the aud claim of incoming Bearer tokens, a second step is necessary. By default, the audience of the JWT tokens that Keycloak issues to your client will be set to your client's name, so they will be rejected by your services. You can use Client Scopes to modify that behavior:
Create a new client scopeSelect "Audience Template"Select the service you'd like to grant your external applications access to and click "next"Add the scope to the client you just created (Client Scopes tab)Keycloak will now add your service's name to the aud claim of all JWT tokens it issues to your new client. Check out the Keycloak documentation on Service Accounts for more details.
Exchanging Client Credentials for an Access TokenAn external application can now use its credentials to obtain an access token from Keycloak's token endpoint:
POST {keycloak-url}/auth/realms/atlas/protocol/openid-connect/token
Set the Content-Type header to application/x-www-form-urlencodedAuthenticate the request with Basic Authentication, using your client id as the user and your client secret as the passwordSet grant_type=client_credentials in the request body

            
Found a similar flow here which is more comprehensive and much closer to what I'm trying to achieve: https://stackoverflow.com/questions/56186951/keycloak-oauth-2-authentication-flow
Our REST APIs are implemented using Mulesoft and honestly, being a beginner myself, I'm not sure how to use the Keycloak adapters to integrate with Mulesoft. I plan to use the available oidc endpoints (/introspection) to just validate the tokens, if this is acceptable.

Kindly let me know what you think. If you have any suggestions/alternative solutions in mind, please feel free to share. Appreciate any help I can get.


Thanks,Lian