Hello.
I am building a set of applications consisting of
- An administration webapp
- A backend, served from same host as webapp(it’s a NextJS application)
- A mobile app which talks to the same backend as the admin app
- Keycloak with a single realmJJ
These applications will run on an isolated network without internet connectivity.
What I would like to accomplish is being able to authenticate the mobile app against Keycloak and to reuse that access token to interact with the webapp backend. To this end, I have created two clients:
- mobile
- web
The web client is a confidential client, and users who log into the webapp use this client. The mobile app is a public client. Additionally, I have created a hardcoded audience as per Server Administration Guide, so that the public client token now includes an audience for the webapp client. However, in the documentation linked above, I stumbled upon the following:
If you need the client itself as an audience, see the hardcoded audience option. However, using the same client as both frontend and REST service is not recommended
So this makes me wonder: Should I have 3 clients? One for the “frontend”, one for the “backend” and one for the mobile app, even though the first two are essentially a single entity?
I’m also unsure how to authenticate a user from the mobile client hitting the webapp. Should I just use keycloak’s public key to verify the signature, and then verify the audience/roles as I see fit?
Thanks a lot for reading - I’d really appreciate any and all advice on how to best structure this kind of setup.