My JS React SPA web application (which is running in the browser) needs to securely access 2 different rest-api backends which are written in 2 different programming languages, deployed to 2 different physical servers and which parse/interpret JWT claims differently.
I want my user to login only once!
We use OpenId/PKCE - usuall stuff.
Access tokens 1 and 2 should be different in the following way:
- ‘Rest Api 1’ is ok to have ‘keycloak user_id’ in the ‘sub’ claim of ‘JWT access token 1’ while ‘Rest Api 2’ expects to have ‘keycloak user_name’ in the ‘sub’ claim of ‘JWT access token 2’.
- ‘Rest Api 1’ is ok with any expiration time in the ‘exp’ claim of ‘JWT access token 1’ while ‘Rest Api 2’ expects to have maximum 10 minutes from the current time in the ‘exp’ claim of ‘JWT access token 2’.
- ‘aud’ and ‘scp’ claims should have different values, etc.
I cannot change ‘Rest Api 1’ and ‘Rest Api 2’ so they could accept JWTs of the same format.
I assume that I need to create two different Clients for ‘Rest Api 1’ and ‘Rest Api 2’ under the same Realm in Keycloak, am I right? But then how to Sign in into both clients at once and get 2 different access tokens from them?
keycloak-js is used.