Hi Marc,

I am using the following setup:

1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman realm) -> Client

2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman gateway -> Client

The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP.

It is unclear to me why it matters which IdP I am using, because my assumption is that:

I end up with a valid Keycloak session within the apiman realm
the SAML 2.0 token should only be used by Keycloak to issue a login session to the client.
the client itself will never directly use anyhting from the SAML 2.0 IdP, but should only use the stuff that Keycloak mapped from the SAML token onto its own token.

I did ask the question on the keycloak mailinglist, but from a different angle. I am afraid the solution for my problem will be somewhere in between.

Any help from your site is greatly appreciated :-)

Regards,

Ton

Message: 5

Date: Tue, 8 Dec 2015 16:58:26 +0000
From: Marc Savy <marc.savy@redhat.com>
Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token
for logged in user without using username/password
To: apiman-user@lists.jboss.org
Message-ID: <56670C32.3060000@redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

To expand on that - depending on exactly what type of IdP (and specifically which technology) you were delegating to, it may be possible to do what you're asking - or you may need to write something custom.

Can you provide more detail?

Also, if you have very specific Keycloak questions you might be best served on the keycloak-user mailing list, which is extremely active (https://lists.jboss.org/mailman/listinfo/keycloak-user).

On 08/12/2015 16:53, Marc Savy wrote:
> Hi Ton,
>
> I'm not quite sure what you mean, but I think what you're asking for is
> brokerage/delegation in the form:
>
> 1. Client <-> Keycloak <-> Other IdP.
> 2. Client <-> apiman gateway
>
> Regards,
> Marc
>
> On 08/12/2015 15:28, Ton Swieb wrote:
> > Hi,
> >
> > I would like to secure my api's using the Keycloak OAuth2 policy.
> > Similair to what is described in the blog post of Marc Savy:
> > http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html
> >
> >
> > Only with the difference that Keycloak delegates the login to a third
> > party IdP. After logging in at this third party IdP I end up with an
> > active session in the Apiman UI (the apiman realm of Keycloak).
> >
> > Now I am wondering how to get the bearer token, because I do not have a
> > username/password combination I can use to make a call like:
> >
> > |curl -X POST
> > http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> > -H "Content-Type: application/x-www-form-urlencoded" -d
> > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
> > 'client_id=apiman'|
> >
> > Because the username/password combination is linked to the third party
> > IdP and not to Keycloak itself.
> >
> > Is there another way to obtain the bearer token?
> >
> > Perhaps this is aquestion which I should address at the keycloak
> > mailinglist. I will try to ask the question there as well.
> >
> > Regards,
> >
> > Ton
> >
> >
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user@lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >
>