Hello,

One of our customers is trying to implement authentication with Keycloak for all his applications. Keycloak engineers tell him we shouldn't use username/password authentication for authentication by applications, because the resource owner password credentials grant is deprecated in the OAuth2. Support for OAuth 2.0 tokens would complement the strategy on 'inter-application' and centralized authentication/authorization as well as other Red Hat products. I think there are a lot of customers who could use this feature.

The problem is that these tokens expire after 5 minutes (maybe this is configurable, but they should expire after some time). This is problematic for existing connections to the broker because it seems impossible to update the token in an existing connection, but the broker handles authorization based on that token when creating producers and consumers for that connection.

Regards,
Max