Service Accounts

[omid]

To continue the discussion here and here...

AFAIK, the main grant_types for this case are password and client_credentials.

For password, based on this article, we need username and password mostly. We can send client_id but in this case, we need to send client_secret (Either in query param or HTTP Basic Auth header). In Keycloak, if the client is confidential, then we need all 4 params.

For client_credentials, based on this, we need to send client_id and client_secret (Either in query param or HTTP Basic Auth header).

The current implementation is like this:

let response = client
            .post(&format!(
                "{url}/realms/{realm}/protocol/openid-connect/token",
            ))
            .form(&json!({
                "username": username,
                "password": password,
                "client_id": client_id,
                "grant_type": grant_type
            }))
            .send()
            .await?;

So we lack client_secret here. And the whole logic to choose between grant_types is missing. Or we need to remove client_id from here, since we have another struct (KeycloakServiceAccountAdminTokenRetriever) for this or any other solution.

And also it can be better to have an enum for grant_types, instead of just a string.