ServiceA with authorization enabled. And configured to contain resourceA.
ServiceB with service account enabled.
When ServiceB uses client_credential login it will receive a token with issuedFor (azp) set to "ServiceB".
Now querying protected endpoint from Service A with that token will result in an error "Resource with id [resourceA] does not exist".
It seems that it might be caused by https://github.com/keycloak/keycloak/blob/ebcfeb20a3f5606cf6756c522d27c1711f3bb7bd/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L415
Which only checks for resources for the requesting entity. And few lines later
which blocks another resource server, serviceB in this case, from finding the resource.
I did find a possible hacky workaround, which is to just log into the service account via grant_type "password" through a public client. In this case the issuedFor will not match the service-tokens linked client and it will pass !isResourceServer check here