请注意,我对我提到的应用程序不熟悉,因此我可能会错误地使用该术语。我添加了一些图表来尽可能地解释自己。
我正在尝试在 APIMAN 中设置 Web 服务身份验证策略(在内部使用 Keycloak)
到目前为止,我知道我在 Keycloak 中创建的身份提供程序 (OpenAM) 配置正确,因为它正在登录页面上工作(见下图 1)
我还通过 Keycloak 的 OpenID API 成功使用了 access_token 来访问 Web 服务;但前提是用户凭证在 Keycloak 中(与 OpenAM 相对)(见图 2)
我想要实现的是通过 Keycloak 但使用身份提供者的凭据对这个 Web 服务客户端进行身份验证,但我不知道如何做到这一点,甚至不知道它是否可能。(见图3)
请注意,我还尝试使用 OpenAM 背后的 LDAP 进行用户联合,它工作正常,但我想知道是否有办法通过 OpenAM 来实现。
The way you used keycloak and openam is quite unusual, however if i understand correctlly your question, you want keycloak to redirect the webservice request to openam, not ldap,
You can either:
Openam would be your source of identity, and keyclaok would be his clients, you can do this by configuring keycloak: identity provider -> saml IDP -> and here you will place openam metadata.
In keycloak you go to identity providers -> create -> oidc v1 provider -> and you will place your openam info.
As i said, its can be done, but its not the way its suppossed to be, openam and keycloak are both Access management software, they both do exactly the same thing, in your configuration keycloak play a role of an API gateway, which is not exactly what keycloak should be doing, you can get get rid of either one of the solutions, both can provide you the same functionnalities (OIDC, OAuth2, SAML, LDAP, ...)