<div dir="ltr"><div><div><div>Hi Marc,<br><br></div><div>I got it working, without the SAML IdP, using the Keycloak Javascript adapter.<br></div><div><br></div><div>I used the Keycloak JS-Console example and extended it with a javascript function that does a call the apiman-gateway after I have a logged in session with Keycloak. Something like:<br> var client = new XMLHttpRequest();<br> client.open("GET", url, false);<br> client.setRequestHeader("Accept", "application/json");<br> client.setRequestHeader("Authorization", "Bearer " + keycloak.token);<br> client.send();<br><br></div><div>The keycloak.token is available after a call to keycloak.login(). Both are part of the Keycloak javascript adapter.<br></div><div><br></div><div>Underneath the Javascript adapter still does a call similair to <a href="http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token" rel="noreferrer" target="_blank">http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token</a> to retrieve the access token. With the difference that the grant_type used is authorization_code instead of password and a code is supplied instead of a username/password combination. I assume the code is retrieved from the keycloak session. Not sure how it exactly works, but it works.<br><br></div><div>Next step will be to test it with the SAML IdP instead of standalone Keycloak, but I do not expect it to behave any differently.<br><br></div>Regards,<br></div><br></div>Ton<div class="gmail_extra"><br><div class="gmail_quote">2015-12-08 19:00 GMT+01:00 Ton Swieb <span dir="ltr"><<a href="mailto:ton@finalist.nl" target="_blank">ton@finalist.nl</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div>Hi Marc,<br><br></div><div>I am using the following setup:<br></div></div>1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman realm) -> Client<br></div>2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman gateway -> Client<br><br></div><div>The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP.<br></div>It is unclear to me why it matters which IdP I am using, because my assumption is that:<br><ul><li>I end up with a valid Keycloak session within the apiman realm</li><li>the SAML 2.0 token should only be used by Keycloak to issue a login session to the client. </li><li>the client itself will never directly use anyhting from the SAML 2.0 IdP, but should only use the stuff that Keycloak mapped from the SAML token onto its own token.<br></li></ul>I did ask the question on the keycloak mailinglist, but from a different angle. I am afraid the solution for my problem will be somewhere in between.<br></div><div>Any help from your site is greatly appreciated :-)<br></div><div><div><br><div><div><div><div><div>Regards,<br><br></div><div>Ton<br></div><div><br><div><div class="gmail_extra"><br><div class="gmail_quote">Message: 5<br></div><div class="gmail_quote">
Date: Tue, 8 Dec 2015 16:58:26 +0000<br>
From: Marc Savy <<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>><br>
Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token<br>
for logged in user without using username/password<br>
To: <a href="mailto:apiman-user@lists.jboss.org" target="_blank">apiman-user@lists.jboss.org</a><br>
Message-ID: <<a href="mailto:56670C32.3060000@redhat.com" target="_blank">56670C32.3060000@redhat.com</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
To expand on that - depending on exactly what type of IdP (and specifically which technology) you were delegating to, it may be possible to do what you're asking - or you may need to write something custom.<br>
<br>
Can you provide more detail?<br>
<br>
Also, if you have very specific Keycloak questions you might be best served on the keycloak-user mailing list, which is extremely active (<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a>).<br>
<br>
On 08/12/2015 16:53, Marc Savy wrote:<br>
> Hi Ton,<br>
><br>
> I'm not quite sure what you mean, but I think what you're asking for is<br>
> brokerage/delegation in the form:<br>
><br>
> 1. Client <-> Keycloak <-> Other IdP.<br>
> 2. Client <-> apiman gateway<br>
><br>
> Regards,<br>
> Marc<br>
><br>
> On 08/12/2015 15:28, Ton Swieb wrote:<br>
> > Hi,<br>
> ><br>
> > I would like to secure my api's using the Keycloak OAuth2 policy.<br>
> > Similair to what is described in the blog post of Marc Savy:<br>
> > <a href="http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html" rel="noreferrer" target="_blank">http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html</a><br>
> ><br>
> ><br>
> > Only with the difference that Keycloak delegates the login to a third<br>
> > party IdP. After logging in at this third party IdP I end up with an<br>
> > active session in the Apiman UI (the apiman realm of Keycloak).<br>
> ><br>
> > Now I am wondering how to get the bearer token, because I do not have a<br>
> > username/password combination I can use to make a call like:<br>
> ><br>
> > |curl -X POST<br>
> > <a href="http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token" rel="noreferrer" target="_blank">http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token</a><br>
> > -H "Content-Type: application/x-www-form-urlencoded" -d<br>
> > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d<br>
> > 'client_id=apiman'|<br>
> ><br>
> > Because the username/password combination is linked to the third party<br>
> > IdP and not to Keycloak itself.<br>
> ><br>
> > Is there another way to obtain the bearer token?<br>
> ><br>
> > Perhaps this is aquestion which I should address at the keycloak<br>
> > mailinglist. I will try to ask the question there as well.<br>
> ><br>
> > Regards,<br>
> ><br>
> > Ton<br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Apiman-user mailing list<br>
> > <a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><br>
> ><br>
><br></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br></div></div>