May I use OAuth2 for non third-party applications?
I need some help to understand my problem.
I'm studying a way to provide authentication for my applications.
My scenario:
I have a set of APIs with restricted access and users that will be authenticated and authorized to consume these resources. I'm using Keycloak as Identity Management to authenticate/authorize users.
My services will be exposed using an API gateway from public clients and externally.
Verifying the OAuth2 protocol I realized that the OAuth2 protocol provides only specifications for access from third-party applications, but I found one grant type called "Resource Owner Password Credentials Grant" which seems to solve my problem.
My applications won't have any kind of granting access or communication with third-party IDPs. In this scenario I have two questions:
Would OAuth+"Resource Owner Password Credentials Grant" be the best option to authenticate my clients?
All my applications will be accessed by API GW. The Keycloak endpoint used to authenticate my clients - does it need to be exposed in the API gateway or it could be a public endpoint?
