We have an application defined as a confidential client in Keycloak (it is a web application needing login authentication, but also its APIs consumers authentication). How can our client authenticate the API consumer without sharing our client secret with him, neither he shares his password with our client ?
Is 'keycloak confidential client' configuration for MyApp1 a good choice ? I can't assume that MyApp2 has to have MyApp1's secret to be able to connect with MyUser in MyApp1.Or that it has to send MyUser's password to MyApp1. Or MyApp1 has to become public keycloak client, in order to MyApp2 being able to connect MyUser in without secret.
Isn't there any other way, remaining confidential but no secret neither password sharing ?
Thank in advance for you help.
