Single Client vs Multiple Clients

[Navin Kaushik]

Hello,

We are using OIDC/Oauth flow for our microservices. We have multiple services (REST APIs) and SPA in angular.

As of now, we have created one public client for SPA and one client for each service (REST APIs).

Question is:

There are following options:

Option 1: We use single client i.e. client created for SPA is used by service as well, since they just need to verify the token and nothing else.

Option 2:  We use one client for SPA and one client as bearer for all backend services (REST APIs)

Option 3:  We use one client for SPA and one client as bearer per backend service (REST APIs)

Which option is recommended and why ?

-Thanks,

Navin

[Garth]

Option #3. It's the recommended practice to use a Client for each service. This way, you can control access, scopes, mappings, etc. on a per Client/service basis. When used correctly, this also prevents the cross use of tokens by backend services (e.g. Service A calling Service B with the token from the SPA, even though it is not authorized to do so). Even if you're not doing it today, this separation will help you in the future as you use more of the Keycloak functionality available to you.

> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/005568d9-64e9-4316-9d2f-89334c3d2486n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/005568d9-64e9-4316-9d2f-89334c3d2486n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[rohit]

What's the purpose of the clients for each backend? Aren't we just verifying token issued for frontend SPA. In that case why have a client for backend at all. Please help me understand.

Thanks,
Rohit