I need some help to understand my problem.
I'm studying a way to provide authentication for my applications.
My scenario: I've a set of APIs with restricted access and users that will be authenticated and authorized to consume these resources. I'm using Keycloak as Identity Management to authenticate/authorizing users. My services will be exposed using an API Gateway from public clients and externally.
Verifying the OAuth2 protocol I realized that the OAuth2 protocol provide only specifications for access from third-party applications, but I found one grant type called "Resource Owner Password Credentials Grant" that seems solve my problem.
My applications won't have any kind of granting access or communication with third party IDPs. In this scenario I have two questions:
Would OAuth+"Resource Owner Password Credentials Grant" the best option for authenticate my clients?
All my applications will accessed by API GW. The keycloak endpoint used to authenticate my clients need to be exposed in API GW or it could be a public endpoint?
Thanks.