0

I've successfully configured Keycloak as identity server for WSO2 api manager and I need am able to login to keycloak and, with the bearer, call a WSO2 defined rest API. Now I need to make WSO2 send to the backend, also claims based on keycloak user's information, like role, group or property. WSO2 apim 4.1.0 and Keycloak 19

user5919369
  • 111
  • 6
  • Can you update the question with which API Manager version you are using? Also, can you edit the question with more elaboration? Do you want to pass the Keycloak information to the actual Backend Endpoint? Or is it you want to use the Keycloak Access token to invoke the API? – Athiththan Jul 30 '22 at 16:04

1 Answers1

0

You can't group information from access token's claims but you can get client role, realm role, user name, username and client name.

User group or group member can get by separate API call.

You need to start this order create realm -> create client -> add realm role -> add client role -> add user (with credential) -> assign realm role to user -> assign client role to user

Then get access toke for user with grant_type is "password"

enter image description here

decode access token by jwt.io enter image description here

Finally can map between Keycloak settings and token's claims enter image description here

You needs to understand how to access the resource by Role Based Access Control in Keycloak. Here is good explain for Resources, scopes, permissions and policies in keycloak

Bench Vue
  • 5,257
  • 2
  • 10
  • 14
  • Can I made the role to pass to wso2 and arrive to the api in the claims? – user5919369 Jul 29 '22 at 08:12
  • WSO2 is back-end, it can get access - token from front-end. It means a role can pass from IdP to WSO2 via front-end. But WSO2 needs to decode an access token. example [here](https://www.programcreek.com/python/?CodeExample=get+claims) – Bench Vue Jul 29 '22 at 08:31
  • But maybe it can receive from keycloak infos about the user, no? – user5919369 Jul 29 '22 at 11:43
  • WSO2 got access token from front- end, you can do both ways #1 decode it with not extra API call or #2 ask to Keycloak what is user informaton. – Bench Vue Jul 29 '22 at 12:03
  • This is how to get user informaton to ask toKeycloak [here](https://stackoverflow.com/questions/73118975/oauth-to-oidc-keycloak/73126707#73126707) – Bench Vue Jul 29 '22 at 12:07
  • Yes I know, but this is "handmade" and not generic (if I need to change the SSO server for example), instead I need that WSO2 get the infos from Keycloak ad use it as claims for the backend. I know that I can do it with a custom addon on WSO2, I can do it, but I wondered if there was already a ready and standard mechanism – user5919369 Aug 01 '22 at 09:04
  • Yes, [Keycloak REST API](https://www.keycloak.org/docs-api/18.0/rest-api/) can do it. – Bench Vue Aug 01 '22 at 10:18
  • This is not generic and couple the rest service to keycloak...the claims are more generic – user5919369 Aug 02 '22 at 11:28
  • I don't know generic mean. – Bench Vue Aug 02 '22 at 12:29
  • 2
    Right, I'll give you an example: now I have Keycloak as SSO for example and all my rest api are behind wso2, they read the claims and do things using the claims, tomorrow I'm going to change my SSO but I want the rest application still use the claims. In your solution I need to change the interaction with keycloak with an interaction with other sso sw – user5919369 Aug 03 '22 at 05:56