I have a simple setup where a server hosts Keycloak (23.0.1), and a number of apps. Keycloak and the apps are all reverse-proxied behind Apache, so Apache (mod_auth_openidc) is the client/RP, and the local Keycloak is the OP.
One of the apps needs to make API requests to Keycloak, to handle user ops (adding users, setting claims, and so on). To handle this, I have a service account client on Keycloak, and the app makes Curl requests to Keycloak, using the client secret.
This works, but I can't help feeling that I've done this wrong. The app needs to record the client secret, so it feels insecure, and I'd rather use a JWT if possible. In this flow:
- The user signs into the app
- Apache authenticates with the local Keycloak, gets a signed JWT, and returns it to the app
- The app now makes API requests (on curl) with the signed JWT, without needing to know the client secret
How do I do this, with either kcadm.sh or curl? I can't find this in the docs (here or in the API spec). It looks like I have to set up a keystore so that Keycloak can authenticate the incoming signed JWT, but I just need Keycloak to auth it's own signed JWT, so there's no keystore in this system. Does this make sense? If I just run kcadm.sh and supply a JWT with the --secret parameter I get a Parameter client_assertion_type is missing error.