9:28 a.m.
Hi,
I would like to secure my api's using the Keycloak OAuth2 policy.
Similair to what is described in the blog post of Marc Savy:
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
Only with the difference that Keycloak delegates the login to a third party
IdP. After logging in at this third party IdP I end up with an active
session in the Apiman UI (the apiman realm of Keycloak).
Now I am wondering how to get the bearer token, because I do not have a
username/password combination I can use to make a call like:
curl -X POST http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded" -d
"username=rincewind" -d 'password=apiman' -d
'grant_type=password' -d
'client_id=apiman'
Because the username/password combination is linked to the third party IdP
and not to Keycloak itself.
Is there another way to obtain the bearer token?
Perhaps this is aquestion which I should address at the keycloak
mailinglist. I will try to ask the question there as well.
Regards,
Ton
10:53 a.m.
Hi Ton,
I'm not quite sure what you mean, but I think what you're asking for is
brokerage/delegation in the form:
1. Client <-> Keycloak <-> Other IdP.
2. Client <-> apiman gateway
Regards,
Marc
On 08/12/2015 15:28, Ton Swieb wrote:
Hi,
I would like to secure my api's using the Keycloak OAuth2 policy.
Similair to what is described in the blog post of Marc Savy:
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
Only with the difference that Keycloak delegates the login to a third
party IdP. After logging in at this third party IdP I end up with an
active session in the Apiman UI (the apiman realm of Keycloak).
Now I am wondering how to get the bearer token, because I do not have a
username/password combination I can use to make a call like:
|curl -X POST
http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded" -d
"username=rincewind" -d 'password=apiman' -d
'grant_type=password' -d
'client_id=apiman'|
Because the username/password combination is linked to the third party
IdP and not to Keycloak itself.
Is there another way to obtain the bearer token?
Perhaps this is aquestion which I should address at the keycloak
mailinglist. I will try to ask the question there as well.
Regards,
Ton
_______________________________________________
Apiman-user mailing list
Apiman-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user
10:58 a.m.
To expand on that - depending on exactly what type of IdP (and specifically which
technology) you were delegating to, it may be possible to do what you're asking - or
you may need to write something custom.
Can you provide more detail?
Also, if you have very specific Keycloak questions you might be best served on the
keycloak-user mailing list, which is extremely active
(https://lists.jboss.org/mailman/listinfo/keycloak-user).
On 08/12/2015 16:53, Marc Savy wrote:
Hi Ton,
I'm not quite sure what you mean, but I think what you're asking for is
brokerage/delegation in the form:
1. Client <-> Keycloak <-> Other IdP.
2. Client <-> apiman gateway
Regards,
Marc
On 08/12/2015 15:28, Ton Swieb wrote:
> Hi,
>
> I would like to secure my api's using the Keycloak OAuth2 policy.
> Similair to what is described in the blog post of Marc Savy:
>
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
>
>
> Only with the difference that Keycloak delegates the login to a third
> party IdP. After logging in at this third party IdP I end up with an
> active session in the Apiman UI (the apiman realm of Keycloak).
>
> Now I am wondering how to get the bearer token, because I do not have a
> username/password combination I can use to make a call like:
>
> |curl -X POST
> http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> -H "Content-Type: application/x-www-form-urlencoded" -d
> "username=rincewind" -d 'password=apiman' -d
'grant_type=password' -d
> 'client_id=apiman'|
>
> Because the username/password combination is linked to the third party
> IdP and not to Keycloak itself.
>
> Is there another way to obtain the bearer token?
>
> Perhaps this is aquestion which I should address at the keycloak
> mailinglist. I will try to ask the question there as well.
>
> Regards,
>
> Ton
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
3785
days inactive
3785
days old
2 comments
2 participants
participants (2)
-
Marc Savy -
Ton Swieb