Support for M2M/non-browser authentication to API routes

[clarkey]

Hi, new here👋

I have a question about securing API routes for non-browser clients. My requirements are...

• User/browser authentication via a custom Keycloak provider (done).
• API routes protected so front-end code can retrieve data as the user (done).
• Other machines/services to access the same API routes authenticated via next-auth ideally via client_credentials on the same Keycloak provider or even a basic Credentials provider will do) .

Is it possible for next-auth to support the latter requirement?

• I tried requesting a token from my Keycloak provider (as a machine/service) but next-auth will not accept it. I think it because it creates and accepts its own JWTs with its own payload.
• I added a Credentials provider and attempted to authenticate via Postman to http://localhost:3000/api/auth/callback/credentials but I couldn't get it working. It seems to be geared for browser flows.

It looks like support for requesting tokens in this way is missing along with the possibility to retrieve the token from the authorization header. There is also a problem where all auth flows require a CSRF token. It could be that I haven't fully understood how to use next-auth to implement my use-case.

Any thoughts much appreciated 👍