I am making a simple frontend(movie-view) and backend(movie-api) application using Keycloak.
I have a client for both applications.
Movie-view-client → public
movie-backend-client → bearer-only or confidential
And I have 3 user and 3 role
User1 has Role1
User2 has Role2
User3 has Role3
I added and configured keycloak adapters for both my applications. I also added some authorizations for my api’s in my backend
.antMatchers("/role1endpoint”).hasRole("role1") .antMatchers("/role2endpoint").hasRole("role2") .antMatchers("/role3endpoint").hasRole("role3") ...
Frontend receives an Access Token and ID Token via keycloak login. And by adding the Access Token to the header (Authorazation: Barear ey...) is sending requests to backend(movie-api) api’s.
There is no problem with the applications, the authorization works correctly. But I am confused about **ResourceServer - AccessToken** definitions in OAuth2/OIDC Protocols.
According to definitions; Access Token is the token that the client application (movie-view or movie-backend) sends to the Resource Server with a header to access some information.
But in this case; I am using the Access Token to authorize my client application (movie-backend).
In this case, is the resource server my movie-backend application (It means client and resource server are same)?