Keycloak allows you to obtain an access token dedicated to some Client Application (not to any user).
See <ulinkurl="http://tools.ietf.org/html/rfc6749#section-4.4">Client Credentials Grant</ulink>
from OAuth 2.0 spec.
</para>
<para>
To use it you must have
registered a valid confidential Client and you need to check the switch <literal>Service Accounts Enabled</literal> in Keycloak
admin console for this client. In tab <literal>Service Account Roles</literal> you can configure the roles available to the service account retrieved on behalf of this client.
Don't forget that you need those roles to be available in Scopes of this client as well (unless you have <literal>Full Scope Allowed</literal> on).
As in normal login, roles from access token are intersection of scopes and the service account roles.
</para>
<para>
The REST URL to invoke on is <literal>/{keycloak-root}/realms/{realm-name}/protocol/openid-connect/token</literal>.
Invoking on this URL is a POST request and requires you to post the client credentials. By default, client credentials are
represented by clientId and clientSecret of the client in <literal>Authorization: Basic</literal> header, but you can also
authenticate client with signed JWT assertion or any other custom mechanism for client authentication. See
<linklinkend="client_authentication">Client Authentication</link> section for more details. You also need to use parameter <literal>grant_type=client_credentials</literal> as per OAuth2 specification.
The response would be this <ulinkurl="http://tools.ietf.org/html/rfc6749#section-4.4.3">standard JSON document</ulink> from the OAuth 2.0 specification.