Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password (Marc Savy)
noon
Hi Marc,
I am using the following setup:
1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman
realm) -> Client
2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman
gateway -> Client
The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP.
It is unclear to me why it matters which IdP I am using, because my
assumption is that:
- I end up with a valid Keycloak session within the apiman realm
- the SAML 2.0 token should only be used by Keycloak to issue a login
session to the client.
- the client itself will never directly use anyhting from the SAML 2.0
IdP, but should only use the stuff that Keycloak mapped from the SAML token
onto its own token.
I did ask the question on the keycloak mailinglist, but from a different
angle. I am afraid the solution for my problem will be somewhere in between.
Any help from your site is greatly appreciated :-)
Regards,
Ton
Message: 5
Date: Tue, 8 Dec 2015 16:58:26 +0000
From: Marc Savy <marc.savy(a)redhat.com>
Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token
for logged in user without using username/password
To: apiman-user(a)lists.jboss.org
Message-ID: <56670C32.3060000(a)redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
To expand on that - depending on exactly what type of IdP (and specifically
which technology) you were delegating to, it may be possible to do what
you're asking - or you may need to write something custom.
Can you provide more detail?
Also, if you have very specific Keycloak questions you might be best served
on the keycloak-user mailing list, which is extremely active (
https://lists.jboss.org/mailman/listinfo/keycloak-user).
On 08/12/2015 16:53, Marc Savy wrote:
Hi Ton,
I'm not quite sure what you mean, but I think what you're asking for is
brokerage/delegation in the form:
1. Client <-> Keycloak <-> Other IdP.
2. Client <-> apiman gateway
Regards,
Marc
On 08/12/2015 15:28, Ton Swieb wrote:
> Hi,
>
> I would like to secure my api's using the Keycloak OAuth2 policy.
> Similair to what is described in the blog post of Marc Savy:
>
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
>
>
> Only with the difference that Keycloak delegates the login to a third
> party IdP. After logging in at this third party IdP I end up with an
> active session in the Apiman UI (the apiman realm of Keycloak).
>
> Now I am wondering how to get the bearer token, because I do not have a
> username/password combination I can use to make a call like:
>
> |curl -X POST
> http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> -H "Content-Type: application/x-www-form-urlencoded" -d
> "username=rincewind" -d 'password=apiman' -d
'grant_type=password' -d
> 'client_id=apiman'|
>
> Because the username/password combination is linked to the third party
> IdP and not to Keycloak itself.
>
> Is there another way to obtain the bearer token?
>
> Perhaps this is aquestion which I should address at the keycloak
> mailinglist. I will try to ask the question there as well.
>
> Regards,
>
> Ton
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
3687
days inactive
3687
days old
0 comments
1 participants
participants (1)
-
Ton Swieb