[Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password (Marc Savy)

Ton Swieb ton at finalist.nl
Tue Dec 8 13:00:18 EST 2015 

Hi Marc,

I am using the following setup:
1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman
realm) -> Client
2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman
gateway -> Client

The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP.
It is unclear to me why it matters which IdP I am using, because my
assumption is that:

   - I end up with a valid Keycloak session within the apiman realm
   - the SAML 2.0 token should only be used by Keycloak to issue a login
   session to the client.
   - the client itself will never directly use anyhting from the SAML 2.0
   IdP, but should only use the stuff that Keycloak mapped from the SAML token
   onto its own token.

I did ask the question on the keycloak mailinglist, but from a different
angle. I am afraid the solution for my problem will be somewhere in between.
Any help from your site is greatly appreciated :-)

Regards,

Ton


Message: 5
Date: Tue, 8 Dec 2015 16:58:26 +0000
From: Marc Savy <marc.savy at redhat.com>
Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token
        for logged in user without using username/password
To: apiman-user at lists.jboss.org
Message-ID: <56670C32.3060000 at redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

To expand on that - depending on exactly what type of IdP (and specifically
which technology) you were delegating to, it may be possible to do what
you're asking - or you may need to write something custom.

Can you provide more detail?

Also, if you have very specific Keycloak questions you might be best served
on the keycloak-user mailing list, which is extremely active (
https://lists.jboss.org/mailman/listinfo/keycloak-user).

On 08/12/2015 16:53, Marc Savy wrote:
> Hi Ton,
>
> I'm not quite sure what you mean, but I think what you're asking for is
> brokerage/delegation in the form:
>
> 1. Client <-> Keycloak <-> Other IdP.
> 2. Client <-> apiman gateway
>
> Regards,
> Marc
>
> On 08/12/2015 15:28, Ton Swieb wrote:
> > Hi,
> >
> > I would like to secure my api's using the Keycloak OAuth2 policy.
> > Similair to what is described in the blog post of Marc Savy:
> >
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html
> >
> >
> > Only with the difference that Keycloak delegates the login to a third
> > party IdP. After logging in at this third party IdP I end up with an
> > active session in the Apiman UI (the apiman realm of Keycloak).
> >
> > Now I am wondering how to get the bearer token, because I do not have a
> > username/password combination I can use to make a call like:
> >
> > |curl -X POST
> > http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> > -H "Content-Type: application/x-www-form-urlencoded" -d
> > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
> > 'client_id=apiman'|
> >
> > Because the username/password combination is linked to the third party
> > IdP and not to Keycloak itself.
> >
> > Is there another way to obtain the bearer token?
> >
> > Perhaps this is aquestion which I should address at the keycloak
> > mailinglist. I will try to ask the question there as well.
> >
> > Regards,
> >
> > Ton
> >
> >
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20151208/cae3a695/attachment.html

More information about the Apiman-user mailing list