My JS React SPA web application (which is running in the browser) needs to securely access two different rest-api backends which are written in two different programming languages, deployed to two different physical servers and which parse/interpret JWT claims differently.
I want my user to enter username/password only once!
We use OpenId/PKCE - usuall stuff.
Access tokens 1 and 2 should be different in the following way:
- 'Rest Api 1' is ok to have 'keycloak user_id' in the 'sub' claim of 'JWT access token 1' while 'Rest Api 2' expects to have 'keycloak user_name' in the 'sub' claim of 'JWT access token 2'.
- 'Rest Api 1' is ok with any expiration time in the 'exp' claim of 'JWT access token 1' while 'Rest Api 2' expects to have maximum 10 minutes from the current time in the 'exp' claim of 'JWT access token 2'.
- 'aud' and 'scp' claims should have different values, etc.
I cannot change 'Rest Api 1' and 'Rest Api 2' so they could accept JWTs of the same format.
I assume that I need to create two different Clients for 'Rest Api 1' and 'Rest Api 2' under the same Realm in Keycloak, am I right? But then how to Sign in into both clients at once and get two different access tokens from them?
Another suitable solution, I suspect, is using 'token exchange': https://www.keycloak.org/docs/latest/securing_apps/#_token-exchange
Can somebody advise something?
keycloak-js is used: https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter
