Client authentication flow with Keycloak and quarkus

[misaeldossantos]

Hi. I'm implementing OpenID Connect on quarkus using keycloak as an authorization server.

I developed an endpoint in my quarkus API that must be accessed by another (integration) server. In other words, communication is from server to another server, there is no user in the middle.

Researching about Oauth2, I understood that for these cases the client authentication flow is the most recommended to use. In this case I understood that server A that wants to integrate with my API must have a client in the keycloak (with Client authentication enabled) and the keycloak will then generate a client_secret. Therefore, server A must authenticate to the keycloak using its client_id and client_secret, and the keycloak will return a JWT token. Therefore, server A must access my API using this token.

However, I didn't find a way to implement this in Quarkus, in all tutorials it authenticates on behalf of a user (a user must obtain the token), and never a non-impersonated application using its client-credentials. I tried to pass the token obtained by client authentication to Quarkus, but it returns 401.

I found someone with the same question on stackoverflow without a definitive answer: https://stackoverflow.com/questions/64037585/quarkus-how-to-authenticate-between-microservices

Could someone from the community help me?

[quarkus-bot[bot]]

/cc @pedroigor (keycloak), @sberyozkin (keycloak)

[sberyozkin]

Please check Quarkus OIDC client

[sberyozkin]

Or Quarkus Keycloak admin client

[misaeldossantos]

I discovered the problem. It has no relation to quarkus. I debugged the code and the 401 error is coming from an internal validation that another developer performed. Now it is returning success. Sorry