Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password

Hi Marc, I am using the following setup: 1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman realm) -> Client 2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman gateway -> Client The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP. It is unclear to me why it matters which IdP I am using, because my assumption is that: - I end up with a valid Keycloak session within the apiman realm - the SAML 2.0 token should only be used by Keycloak to issue a login session to the client. - the client itself will never directly use anyhting from the SAML 2.0 IdP, but should only use the stuff that Keycloak mapped from the SAML token onto its own token. I did ask the question on the keycloak mailinglist, but from a different angle. I am afraid the solution for my problem will be somewhere in between. Any help from your site is greatly appreciated :-) Regards, Ton Message: 5 Date: Tue, 8 Dec 2015 16:58:26 +0000 From: Marc Savy <marc.savy(a)redhat.com&gt; Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password To: apiman-user(a)lists.jboss.org Message-ID: <56670C32.3060000(a)redhat.com&gt; Content-Type: text/plain; charset=UTF-8; format=flowed To expand on that - depending on exactly what type of IdP (and specifically which technology) you were delegating to, it may be possible to do what you're asking - or you may need to write something custom. Can you provide more detail? Also, if you have very specific Keycloak questions you might be best served on the keycloak-user mailing list, which is extremely active ( https://lists.jboss.org/mailman/listinfo/keycloak-user). On 08/12/2015 16:53, Marc Savy wrote: > Hi Ton, > > I'm not quite sure what you mean, but I think what you're asking for is > brokerage/delegation in the form: > > 1. Client <-> Keycloak <-> Other IdP. > 2. Client <-> apiman gateway > > Regards, > Marc > > On 08/12/2015 15:28, Ton Swieb wrote: > > Hi, > > > > I would like to secure my api's using the Keycloak OAuth2 policy. > > Similair to what is described in the blog post of Marc Savy: > > http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication... > > > > > > Only with the difference that Keycloak delegates the login to a third > > party IdP. After logging in at this third party IdP I end up with an > > active session in the Apiman UI (the apiman realm of Keycloak). > > > > Now I am wondering how to get the bearer token, because I do not have a > > username/password combination I can use to make a call like: > > > > |curl -X POST > > http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token > > -H "Content-Type: application/x-www-form-urlencoded" -d > > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d > > 'client_id=apiman'| > > > > Because the username/password combination is linked to the third party > > IdP and not to Keycloak itself. > > > > Is there another way to obtain the bearer token? > > > > Perhaps this is aquestion which I should address at the keycloak > > mailinglist. I will try to ask the question there as well. > > > > Regards, > > > > Ton > > > > > > _______________________________________________ > > Apiman-user mailing list > > Apiman-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/apiman-user > > >