Current Situation
We are performing a data migration into the BAP system. For this migration process, we are using:
-
The public API of BAP for data transfer
-
Keycloak as Identity Provider (IDP)
-
A migration client that authenticates via Keycloak
The current implementation uses the Resource Owner Password Flow (ROPF) for API authentication during data migration by default.
Problem Statement
The customer has explicitly specified that the Resource Owner Password Flow is not permitted for production applications. This is particularly critical because:
-
The data migration must be performed in the production environment
-
ROPF is considered deprecated and poses security risks
-
For automated system-to-system communication (such as data migration), ROPF is conceptually inappropriate
Objective
We want to switch the authentication for data migration to the Client Credentials Grant flow. This flow is specifically designed for machine-to-machine communication and is therefore ideal for automated migration processes.
Use Case
-
Process: Automated data migration via the BAP REST API
-
No user interaction: The migration process runs fully automated without human interaction
-
Service Account: The migration is performed under a technical account (Service Account)
Questions
-
Is it possible to switch to Client Credentials Grant for our data migration use case?
-
API Access and Permissions:
-
Does the BAP API support Client Credentials Grant?
-
Are there any restrictions when accessing the public API with Client Credentials?
-
Let me know if you need any adjustments!