My setup is very straight-forward:
- I have a single page app and I want to use javascript adapter on the client and Spring Security Adapter on the server side.
- I defined a public “app_gui” client for the client and a confidential “app_server” client for the server.
- My test user now gets assigned the client role “USER” of the “app_server” client.
- In keycloak.json (for the server part) I set “verify-token-audience”: true
This works fine, user logs in using standard work flow, the token contains the “app_server” audience.
For server-to-server communication (interfaces) I use service accounts, working as well without issues.
Now my problem/question:
- I have interface partners that can only call my app using basic auth
- I enabled Direct Access Grants and added “enable-basic-auth”: true to keycloak.json
The issue that I now have is that audience only contains “account” and not “app_server”. Of course I can add a mapper to hardcode that audience, but is this the right intended way to solve this issue?