[Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password

Ton Swieb ton at finalist.nl
Wed Dec 9 11:02:05 EST 2015 

Hi Marc,

I got it working, without the SAML IdP, using the Keycloak Javascript
adapter.

I used the Keycloak JS-Console example and extended it with a javascript
function that does a call the apiman-gateway after I have a logged in
session with Keycloak.  Something like:
        var client = new XMLHttpRequest();
        client.open("GET", url, false);
        client.setRequestHeader("Accept", "application/json");
        client.setRequestHeader("Authorization", "Bearer " +
keycloak.token);
        client.send();

The keycloak.token is available after a call to keycloak.login(). Both are
part of the Keycloak javascript adapter.

Underneath the Javascript adapter still does a call similair to
http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token to
retrieve the access token. With the difference that the grant_type used is
authorization_code instead of password and a code is supplied instead of a
username/password combination. I assume the code is retrieved from the
keycloak session. Not sure how it exactly works, but it works.

Next step will be to test it with the SAML IdP instead of standalone
Keycloak, but I do not expect it to behave any differently.

Regards,

Ton

2015-12-08 19:00 GMT+01:00 Ton Swieb <ton at finalist.nl>:

> Hi Marc,
>
> I am using the following setup:
> 1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman
> realm) -> Client
> 2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman
> gateway -> Client
>
> The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP.
> It is unclear to me why it matters which IdP I am using, because my
> assumption is that:
>
>    - I end up with a valid Keycloak session within the apiman realm
>    - the SAML 2.0 token should only be used by Keycloak to issue a login
>    session to the client.
>    - the client itself will never directly use anyhting from the SAML 2.0
>    IdP, but should only use the stuff that Keycloak mapped from the SAML token
>    onto its own token.
>
> I did ask the question on the keycloak mailinglist, but from a different
> angle. I am afraid the solution for my problem will be somewhere in between.
> Any help from your site is greatly appreciated :-)
>
> Regards,
>
> Ton
>
>
> Message: 5
> Date: Tue, 8 Dec 2015 16:58:26 +0000
> From: Marc Savy <marc.savy at redhat.com>
> Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token
>         for logged in user without using username/password
> To: apiman-user at lists.jboss.org
> Message-ID: <56670C32.3060000 at redhat.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> To expand on that - depending on exactly what type of IdP (and
> specifically which technology) you were delegating to, it may be possible
> to do what you're asking - or you may need to write something custom.
>
> Can you provide more detail?
>
> Also, if you have very specific Keycloak questions you might be best
> served on the keycloak-user mailing list, which is extremely active (
> https://lists.jboss.org/mailman/listinfo/keycloak-user).
>
> On 08/12/2015 16:53, Marc Savy wrote:
> > Hi Ton,
> >
> > I'm not quite sure what you mean, but I think what you're asking for is
> > brokerage/delegation in the form:
> >
> > 1. Client <-> Keycloak <-> Other IdP.
> > 2. Client <-> apiman gateway
> >
> > Regards,
> > Marc
> >
> > On 08/12/2015 15:28, Ton Swieb wrote:
> > > Hi,
> > >
> > > I would like to secure my api's using the Keycloak OAuth2 policy.
> > > Similair to what is described in the blog post of Marc Savy:
> > >
> http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html
> > >
> > >
> > > Only with the difference that Keycloak delegates the login to a third
> > > party IdP. After logging in at this third party IdP I end up with an
> > > active session in the Apiman UI (the apiman realm of Keycloak).
> > >
> > > Now I am wondering how to get the bearer token, because I do not have a
> > > username/password combination I can use to make a call like:
> > >
> > > |curl -X POST
> > >
> http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> > > -H "Content-Type: application/x-www-form-urlencoded" -d
> > > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
> > > 'client_id=apiman'|
> > >
> > > Because the username/password combination is linked to the third party
> > > IdP and not to Keycloak itself.
> > >
> > > Is there another way to obtain the bearer token?
> > >
> > > Perhaps this is aquestion which I should address at the keycloak
> > > mailinglist. I will try to ask the question there as well.
> > >
> > > Regards,
> > >
> > > Ton
> > >
> > >
> > > _______________________________________________
> > > Apiman-user mailing list
> > > Apiman-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/apiman-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20151209/c7b2375a/attachment.html

More information about the Apiman-user mailing list