The user acts as a server (server to server), is there a way to verify without using Access token?
Any artifact contained in the request to keycloak can potentially be used to authenticate the user in a custom authenticator (e.g. cookie, jwt, header values, form values etc). Be careful!
1 Like
Can it distinguish the user like a group? I want to find a solution that doesn’t need to use Access token because it is short -term and must take a complex Refresh action to ensure security. API Key is a reasonable solution but unfortunately it is not supported for the user in the Keycloak 
Have you seen Service Accounts? You still need a token obtained through a client credentials flow, but you won’t need to set up a fake user for the server needing the token.
1 Like
hi Carl, I want to see as each service server is a user, because my customers can register, have a group of rights, groups, I am trying to set up an Access token indefinitely, but Access Token I received when calling token endpoint was 10 hours (36000) :<
i chose your solution, but i want to know how to set access token by client no limit
You should never have permanent access tokens. They can’t be revoked. Keep the setting low – say 5 minutes – and work around that.
1 Like