Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password (Marc Savy)

Hi Marc, I am using the following setup: 1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman realm) -> Client 2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman gateway -> Client The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP. It is unclear to me why it matters which IdP I am using, because my assumption is that: - I end up with a valid Keycloak session within the apiman realm - the SAML 2.0 token should only be used by Keycloak to issue a login session to the client. - the client itself will never directly use anyhting from the SAML 2.0 IdP, but should only use the stuff that Keycloak mapped from the SAML token onto its own token. I did ask the question on the keycloak mailinglist, but from a different angle. I am afraid the solution for my problem will be somewhere in between. Any help from your site is greatly appreciated :-) Regards, Ton Message: 5 Date: Tue, 8 Dec 2015 16:58:26 +0000 From: Marc Savy <marc.savy(a)redhat.com&gt; Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password To: apiman-user(a)lists.jboss.org Message-ID: <56670C32.3060000(a)redhat.com&gt; Content-Type: text/plain; charset=UTF-8; format=flowed To expand on that - depending on exactly what type of IdP (and specifically which technology) you were delegating to, it may be possible to do what you're asking - or you may need to write something custom. Can you provide more detail? Also, if you have very specific Keycloak questions you might be best served on the keycloak-user mailing list, which is extremely active ( https://lists.jboss.org/mailman/listinfo/keycloak-user). On 08/12/2015 16:53, Marc Savy wrote: http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...