I would like to secure my API via either client id and clienct secret or an opaque token that is returned by the API via e.g. an /auth endpoint that again exchanges a client id and client secret for a token. Depending on the client, certain limits on the API apply, like rate limits, etc.
As I can read everywhere, the mapping for the API itself inside keycloak is a “client”. And in general, the “user” would be accessing/consuming my API. I can put a user in a certain group which itself has a role mapping to the corresponding roles, etc.
However, I cannot wrap my head around, how keycloak can generate a client id and client secret for a normal user, it seems all of the token exchange is interactive. However, my API is typically consumed by machine users so to speak, that cannot login interactively, so the credentials would need to be static very much e.g. like one accesses Google API’s or Amazon AWS services.
So what is the corresponding functionality/mapping for this machine user to get a similar approach as for a normal user ?