Hi,

If using Keycloak used as a external OAUTH Server and Apigee SaaS (as Resource server) from Keycloack using JWT Token.

If the design is to use the Client ID of the Keycloack to generate Apigee Analytics and Client ID of Keycloack is not unique whats could be best solution. Note : if design does not allow additional Header to pass the Apigee SaSS APP (API Key) hence usage of Client ID for Keycloack willl be option as per Apigee Docs.

If we have situation where Client ID in Keycloack is not unique and when i open the Keyclock the field for Client ID is a open Text field (any one can put any information in the open text, hence Client ID is not Autogenerated) . Keycloack does not generate Client ID as 32 character hex string, but Client Secret is auto generated. Any one faced same issue ?

As per https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

The client_id is a public identifier for apps. Even though it’s public, it’s best that it isn’t guessable by third parties, so many implementations use something like a 32-character hex string. It must also be unique across all clients that the authorization server handles. If the client ID is guessable, it makes it slightly easier to craft phishing attacks against arbitrary applications.