Im filling in for another developer atm, so i dont know the full details nor the implementation, but i try to explain it to the best of my knowledge.
We have a keykloack setup for authentication, user management and access control. Keycloack has 2 realms. 1 for app and 1 for server.
The process goes something like this:
- User logs in in the app
- App authenticate against the app realm and get access token
- REST request is done against server using the access token from the app realm
- Server side has a policy enforcer filter and a policy enforcer configuration
- My theory is that the filter chain now requests against the server realm using the app access token
- server realm responds with server access token that has more info about the user
- REST request is copleted and done
- Response is sent back to app with the server access token attached
- App now can get the additional info from the server access token
Now some thing have changed and this additional info is needed to do some REST reqest. How can we do the request towards the server realm from the app side to get the server token wihtout having to go through server?