From cmoulliard at redhat.com Thu Aug 6 08:29:14 2015 From: cmoulliard at redhat.com (Charles Moulliard) Date: Thu, 6 Aug 2015 14:29:14 +0200 Subject: [Apiman-user] ApiMan & Swagger Doc Message-ID: <55C3531A.7010107@redhat.com> Hi, The APiman GUI Web Interface allows to add the Swagger JSON/YAML - Service Defintion (https://www.dropbox.com/s/rakl089j6ylzwg9/Screenshot%202015-08-06%2013.21.43.png?dl=0). Is it used by Apiman or only present for doc purpose ? Response [13:23:04] ch007m, currently the late AFAIK [13:23:07] later * [13:34:33] ch007m: presently it'll show you nice API docs based upon the swagger doc - however, we're looking at how we might evolve that in future [13:34:56] e.g. testing the api Question : Where can I see from the ApiMan the API docs based upon the swagger doc ? Idea : As Swagger API allows to define authorization, that could be interesting to import the Swagger Doc of a service in order to generate the services. Regards, Charles From marc.savy at redhat.com Thu Aug 6 08:56:33 2015 From: marc.savy at redhat.com (Marc Savy) Date: Thu, 6 Aug 2015 13:56:33 +0100 Subject: [Apiman-user] ApiMan & Swagger Doc In-Reply-To: <55C3531A.7010107@redhat.com> References: <55C3531A.7010107@redhat.com> Message-ID: <55C35981.9040607@redhat.com> Hi Charles, This blog post should give you an idea of what the current capabilities of apiman plus swagger are: http://www.apiman.io/blog/api-manager/swagger/service/ui/2015/06/02/swagger.html I think what you're asking for falls under the 1.3 section of our roadmap http://www.apiman.io/latest/roadmap.html Regards, Marc On 06/08/2015 13:29, Charles Moulliard wrote: > Hi, > > The APiman GUI Web Interface allows to add the Swagger JSON/YAML - > Service Defintion > (https://www.dropbox.com/s/rakl089j6ylzwg9/Screenshot%202015-08-06%2013.21.43.png?dl=0). > Is it used by Apiman or only present for doc purpose ? > > Response > > [13:23:04] ch007m, currently the late AFAIK > [13:23:07] later * > [13:34:33] ch007m: presently it'll show you nice API docs > based upon the swagger doc - however, we're looking at how we might > evolve that in future > [13:34:56] e.g. testing the api > > Question : Where can I see from the ApiMan the API docs based upon the > swagger doc ? > > Idea : As Swagger API allows to define authorization, that could be > interesting to import the Swagger Doc of a service in order to generate > the services. > > Regards, > > Charles > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From eric.wittmann at redhat.com Thu Aug 6 09:00:03 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Thu, 6 Aug 2015 09:00:03 -0400 Subject: [Apiman-user] ApiMan & Swagger Doc In-Reply-To: <55C3531A.7010107@redhat.com> References: <55C3531A.7010107@redhat.com> Message-ID: <55C35A53.1060106@redhat.com> Swagger is currently supported only to document a service. So it can be added by the Service Provider via the Definition tab on the service. It is then displayed on the "Search for a Service to Consume" area of the UI (where application developers go to find services they wish to consume). Specifically it will be shown on the service details UI screen once an app developer has searched for and found the service. We do want to use the swagger information in many other places. One of the things we'll be doing shortly is re-implementing the old "Import Service(s)" functionality that we had in an early version but didn't make the transition from GWT to angularjs. So importing from a swagger definition is a likely candidate. Additionally, we will want to implement testing tools, where a service provider can ensure that the various policies she configured are working properly. For that it will also be useful to have the swagger definition available. -Eric On 8/6/2015 8:29 AM, Charles Moulliard wrote: > Hi, > > The APiman GUI Web Interface allows to add the Swagger JSON/YAML - > Service Defintion > (https://www.dropbox.com/s/rakl089j6ylzwg9/Screenshot%202015-08-06%2013.21.43.png?dl=0). > Is it used by Apiman or only present for doc purpose ? > > Response > > [13:23:04] ch007m, currently the late AFAIK > [13:23:07] later * > [13:34:33] ch007m: presently it'll show you nice API docs > based upon the swagger doc - however, we're looking at how we might > evolve that in future > [13:34:56] e.g. testing the api > > Question : Where can I see from the ApiMan the API docs based upon the > swagger doc ? > > Idea : As Swagger API allows to define authorization, that could be > interesting to import the Swagger Doc of a service in order to generate > the services. > > Regards, > > Charles > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From eric.wittmann at redhat.com Thu Aug 6 09:00:43 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Thu, 6 Aug 2015 09:00:43 -0400 Subject: [Apiman-user] ApiMan & Swagger Doc In-Reply-To: <55C35981.9040607@redhat.com> References: <55C3531A.7010107@redhat.com> <55C35981.9040607@redhat.com> Message-ID: <55C35A7B.4090803@redhat.com> This is a much more concise and equally accurate response. :) -Eric On 8/6/2015 8:56 AM, Marc Savy wrote: > Hi Charles, > > This blog post should give you an idea of what the current capabilities > of apiman plus swagger are: > http://www.apiman.io/blog/api-manager/swagger/service/ui/2015/06/02/swagger.html > > I think what you're asking for falls under the 1.3 section of our > roadmap http://www.apiman.io/latest/roadmap.html > > Regards, > Marc > > On 06/08/2015 13:29, Charles Moulliard wrote: >> Hi, >> >> The APiman GUI Web Interface allows to add the Swagger JSON/YAML - >> Service Defintion >> (https://www.dropbox.com/s/rakl089j6ylzwg9/Screenshot%202015-08-06%2013.21.43.png?dl=0). >> Is it used by Apiman or only present for doc purpose ? >> >> Response >> >> [13:23:04] ch007m, currently the late AFAIK >> [13:23:07] later * >> [13:34:33] ch007m: presently it'll show you nice API docs >> based upon the swagger doc - however, we're looking at how we might >> evolve that in future >> [13:34:56] e.g. testing the api >> >> Question : Where can I see from the ApiMan the API docs based upon the >> swagger doc ? >> >> Idea : As Swagger API allows to define authorization, that could be >> interesting to import the Swagger Doc of a service in order to generate >> the services. >> >> Regards, >> >> Charles >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From cmoulliard at redhat.com Fri Aug 7 05:09:02 2015 From: cmoulliard at redhat.com (Charles Moulliard) Date: Fri, 7 Aug 2015 11:09:02 +0200 Subject: [Apiman-user] @timestamp field Message-ID: <55C475AE.3090401@redhat.com> Hi, Do we have a @timestamp field into Elasticsearch db to plot histogram of the requests - https://www.dropbox.com/s/pnd7zh0rierbt9d/Screenshot%202015-08-07%2011.06.00.png?dl=0 in Kibana ? Regards, -- Charles Moulliard Principal Solution Architect / JBoss Fuse Expert - Global Enablement @redhat cmoulliard at redhat.com | work: +31 205 65 12 84 | mobile: +32 473 604 014 MC-Square Business "Stockholm", Leonardo Da Vincilaan 19, Diegem 1831 - Belgium twitter: @cmoulliard | blog: cmoulliard.github.io committer: apache camel, karaf, servicemix, hawtio, fabric8, drools, jbpm, deltaspike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150807/511eb007/attachment-0001.html From msavy at redhat.com Fri Aug 7 05:30:07 2015 From: msavy at redhat.com (Marc Savy) Date: Fri, 7 Aug 2015 05:30:07 -0400 (EDT) Subject: [Apiman-user] @timestamp field In-Reply-To: <55C475AE.3090401@redhat.com> References: <55C475AE.3090401@redhat.com> Message-ID: <1722605782.8046255.1438939807810.JavaMail.zimbra@redhat.com> To share my IRC response with everyone: 10:15 msavy: there are a bunch of different timestamps depends which one you want to use, really perhaps requestStart is the best choice To give some context, there are several timestamps we collecting, including requestStart/requestEnd, serviceStart/serviceEnd, etc. Which one makes most sense as a canonical @timestamp is up to you, but I'd think perhaps `requestStart` makes most sense. ----- Original Message ----- From: "Charles Moulliard" To: apiman-user at lists.jboss.org Sent: Friday, 7 August, 2015 10:09:02 AM Subject: [Apiman-user] @timestamp field Hi, Do we have a @timestamp field into Elasticsearch db to plot histogram of the requests - https://www.dropbox.com/s/pnd7zh0rierbt9d/Screenshot%202015-08-07%2011.06.00.png?dl=0 in Kibana ? Regards, -- Charles Moulliard Principal Solution Architect / JBoss Fuse Expert - Global Enablement @redhat cmoulliard at redhat.com | work: +31 205 65 12 84 | mobile: +32 473 604 014 MC-Square Business "Stockholm", Leonardo Da Vincilaan 19, Diegem 1831 - Belgium twitter: @cmoulliard | blog: cmoulliard.github.io committer: apache camel, karaf, servicemix, hawtio, fabric8, drools, jbpm, deltaspike _______________________________________________ Apiman-user mailing list Apiman-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/apiman-user From eric.wittmann at redhat.com Fri Aug 7 10:13:11 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Fri, 7 Aug 2015 10:13:11 -0400 Subject: [Apiman-user] @timestamp field In-Reply-To: <1722605782.8046255.1438939807810.JavaMail.zimbra@redhat.com> References: <55C475AE.3090401@redhat.com> <1722605782.8046255.1438939807810.JavaMail.zimbra@redhat.com> Message-ID: <55C4BCF7.2010205@redhat.com> +1 - all the existing date histogram style metrics in apiman go off the requestStart field. For reference, the list of all fields stored in ES: https://github.com/apiman/apiman/blob/master/gateway/engine/core/src/main/java/io/apiman/gateway/engine/metrics/RequestMetric.java#L33-L56 On 8/7/2015 5:30 AM, Marc Savy wrote: > To share my IRC response with everyone: > > 10:15 msavy: > there are a bunch of different timestamps > depends which one you want to use, really > perhaps requestStart is the best choice > > To give some context, there are several timestamps we collecting, including requestStart/requestEnd, serviceStart/serviceEnd, etc. Which one makes most sense as a canonical @timestamp is up to you, but I'd think perhaps `requestStart` makes most sense. > > > ----- Original Message ----- > From: "Charles Moulliard" > To: apiman-user at lists.jboss.org > Sent: Friday, 7 August, 2015 10:09:02 AM > Subject: [Apiman-user] @timestamp field > > Hi, > > Do we have a @timestamp field into Elasticsearch db to plot histogram of the requests - https://www.dropbox.com/s/pnd7zh0rierbt9d/Screenshot%202015-08-07%2011.06.00.png?dl=0 in Kibana ? > > Regards, > From fadiabdeen at gmail.com Mon Aug 10 08:56:38 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Mon, 10 Aug 2015 08:56:38 -0400 Subject: [Apiman-user] Token is not active. Message-ID: I keep getting occasional "Token is not active." on they keycloak side occasionally . its really frustrating , i cant figure out what could cause this to happen. everything seems correct. Is there caching between API Man and Keycloak i can turn off ? Have anyone seeen this behavior ? Thanks, Fadi Express.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150810/69e9a10e/attachment.html From eric.wittmann at redhat.com Mon Aug 10 13:00:54 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Mon, 10 Aug 2015 13:00:54 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: References: Message-ID: <55C8D8C6.8020203@redhat.com> How often does this occur? What is the result? I assume this is triggering a re-login in the UI? There is no caching on the apiman side. However the tokens issued by keycloak to the apiman UI do have an expiration. You could try logging into the keycloak auth admin UI and increasing the lifespan of the tokens. Any more details you can provide would be great. -Eric On 8/10/2015 8:56 AM, Fadi Abdin wrote: > I keep getting occasional "Token is not active." on they keycloak side > occasionally . its really frustrating , i cant figure out what could > cause this to happen. everything seems correct. > > Is there caching between API Man and Keycloak i can turn off ? Have > anyone seeen this behavior ? > > Thanks, > Fadi > Express.com > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From ijlal.hzt at gmail.com Tue Aug 11 03:39:55 2015 From: ijlal.hzt at gmail.com (Ijlal EL HAZITI) Date: Tue, 11 Aug 2015 09:39:55 +0200 Subject: [Apiman-user] how apiman handles errors Message-ID: Good morning, I'd like to know how Apiman handles errors coming from the APIs. I have Rest web Services, a ESB and Apiman on the top, no matter what the error generated by the Rest web service (404, 416, 412...) , Apiman always displays an error code 500. Why Apiman behaves this way? How can I have on apiman the same error codes as those generated by the web service? Thank you -- Cordialement IjlaL EL HAZITI *Etudiant Ing?nieur Etudes et D?veloppement* *UBO - Master Professionnel de d?veloppement ? l'offshore des SI* *FSK - Master Sp?cialis? Qualit? du Logiciel* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150811/b579a7de/attachment.html From marc.savy at redhat.com Tue Aug 11 04:16:48 2015 From: marc.savy at redhat.com (Marc Savy) Date: Tue, 11 Aug 2015 09:16:48 +0100 Subject: [Apiman-user] Token is not active. In-Reply-To: <55C8D8C6.8020203@redhat.com> References: <55C8D8C6.8020203@redhat.com> Message-ID: <55C9AF70.2030501@redhat.com> I think this may pertain to the Keycloak OAuth2 token. In which case, I provided Fadi with a version containing additional logging to see if we could track the issue down. It's not an issue I've ever been able to replicate, and we don't fiddle with the token data in any way, so I don't really see how we could affect things. My only suggestions are to ensure that time is accurate on all of the systems (NTP, Chronyd, etc), and I believe this has already been done. On 10/08/2015 18:00, Eric Wittmann wrote: > How often does this occur? What is the result? > > I assume this is triggering a re-login in the UI? > > There is no caching on the apiman side. However the tokens issued by > keycloak to the apiman UI do have an expiration. You could try logging > into the keycloak auth admin UI and increasing the lifespan of the tokens. > > Any more details you can provide would be great. > > -Eric > > On 8/10/2015 8:56 AM, Fadi Abdin wrote: >> I keep getting occasional "Token is not active." on they keycloak side >> occasionally . its really frustrating , i cant figure out what could >> cause this to happen. everything seems correct. >> >> Is there caching between API Man and Keycloak i can turn off ? Have >> anyone seeen this behavior ? >> >> Thanks, >> Fadi >> Express.com >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From eric.wittmann at redhat.com Tue Aug 11 07:51:51 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Tue, 11 Aug 2015 07:51:51 -0400 Subject: [Apiman-user] how apiman handles errors In-Reply-To: References: Message-ID: <55C9E1D7.5080502@redhat.com> apiman is supposed to pass back whatever error message was returned by the back end service. I think you're probably hitting up against this bug: https://issues.jboss.org/browse/APIMAN-457 I am hoping to have that fixed in the next version. -Eric On 8/11/2015 3:39 AM, Ijlal EL HAZITI wrote: > Good morning, > > I'd like to know how Apiman handles errors coming from the APIs. > I have Rest web Services, a ESB and Apiman on the top, no matter what > the error generated by the Rest web service (404, 416, 412...) , > Apiman always displays an error code 500. > > Why Apiman behaves this way? How can I have on apiman the same error > codes as those generated by the web service? > > Thank you > > -- > Cordialement > IjlaL EL HAZITI > * > * > *Etudiant Ing?nieur Etudes et D?veloppement* > *UBO - Master Professionnel de d?veloppement ? l'offshore des SI > * > *FSK - Master Sp?cialis? Qualit? du Logiciel* > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From 00hf11 at gmail.com Wed Aug 12 15:23:44 2015 From: 00hf11 at gmail.com (Helio Frota) Date: Wed, 12 Aug 2015 16:23:44 -0300 Subject: [Apiman-user] Token is not active. In-Reply-To: <55C9AF70.2030501@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> Message-ID: hi all , I get this one too. I don't know if i clicked on some button or link or just error arise from another dimension. *16:06:37,817 INFO* [stdout] (default task-59) Updated plan: PlanBean [organization=OrganizationBean [id=HeavyMetalOrg, name=HeavyMetalOrg, description=The Heavy Metal Universe, createdBy=admin, createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, modifiedOn=2015-08-12 15:57:02.829], id=soundsLikeAPlan, name=soundsLikeAPlan, description=454test, createdBy=admin, createdOn=2015-08-12 15:59:41.355] *16:07:56,984 INFO* [stdout] (default task-6) Getting info for user admin *16:09:27,427 ERROR* [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-28) Failed to verify token: org.keycloak.VerificationException: Token is not active. at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:46) [keycloak-core-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16) [keycloak-core-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:67) [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:62) [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:45) [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114) [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94) [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_45] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] On Tue, Aug 11, 2015 at 5:16 AM, Marc Savy wrote: > I think this may pertain to the Keycloak OAuth2 token. In which case, I > provided Fadi with a version containing additional logging to see if we > could track the issue down. > > It's not an issue I've ever been able to replicate, and we don't fiddle > with the token data in any way, so I don't really see how we could > affect things. > > My only suggestions are to ensure that time is accurate on all of the > systems (NTP, Chronyd, etc), and I believe this has already been done. > > On 10/08/2015 18:00, Eric Wittmann wrote: > > How often does this occur? What is the result? > > > > I assume this is triggering a re-login in the UI? > > > > There is no caching on the apiman side. However the tokens issued by > > keycloak to the apiman UI do have an expiration. You could try logging > > into the keycloak auth admin UI and increasing the lifespan of the > tokens. > > > > Any more details you can provide would be great. > > > > -Eric > > > > On 8/10/2015 8:56 AM, Fadi Abdin wrote: > >> I keep getting occasional "Token is not active." on they keycloak side > >> occasionally . its really frustrating , i cant figure out what could > >> cause this to happen. everything seems correct. > >> > >> Is there caching between API Man and Keycloak i can turn off ? Have > >> anyone seeen this behavior ? > >> > >> Thanks, > >> Fadi > >> Express.com > >> > >> > >> _______________________________________________ > >> Apiman-user mailing list > >> Apiman-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/apiman-user > >> > > _______________________________________________ > > Apiman-user mailing list > > Apiman-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150812/435b6f4a/attachment-0001.html From eric.wittmann at redhat.com Wed Aug 12 15:36:25 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Wed, 12 Aug 2015 15:36:25 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> Message-ID: <55CBA039.8040509@redhat.com> Is this something you can reproduce? Or just something that happened once? What did you experience when this occurred? Did you get sent to the login page? Did you get a blank page? Error in the UI? -Eric On 8/12/2015 3:23 PM, Helio Frota wrote: > hi all , > > I get this one too. > > I don't know if i clicked on some button or link or just error arise > from another dimension. > > *16:06:37,817 INFO* [stdout] (default task-59) Updated plan: PlanBean > [organization=OrganizationBean [id=HeavyMetalOrg, name=HeavyMetalOrg, > description=The Heavy Metal Universe, createdBy=admin, > createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, > modifiedOn=2015-08-12 15:57:02.829], id=soundsLikeAPlan, > name=soundsLikeAPlan, description=454test, createdBy=admin, > createdOn=2015-08-12 15:59:41.355] > *16:07:56,984 INFO* [stdout] (default task-6) Getting info for user admin > *16:09:27,427 ERROR* > [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default > task-28) Failed to verify token: org.keycloak.VerificationException: > Token is not active. > at > org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:46) > [keycloak-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16) > [keycloak-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:67) > [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:62) > [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:45) > [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114) > [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94) > [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [rt.jar:1.8.0_45] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [rt.jar:1.8.0_45] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > > > > > > On Tue, Aug 11, 2015 at 5:16 AM, Marc Savy > wrote: > > I think this may pertain to the Keycloak OAuth2 token. In which case, I > provided Fadi with a version containing additional logging to see if we > could track the issue down. > > It's not an issue I've ever been able to replicate, and we don't fiddle > with the token data in any way, so I don't really see how we could > affect things. > > My only suggestions are to ensure that time is accurate on all of the > systems (NTP, Chronyd, etc), and I believe this has already been done. > > On 10/08/2015 18:00, Eric Wittmann wrote: > > How often does this occur? What is the result? > > > > I assume this is triggering a re-login in the UI? > > > > There is no caching on the apiman side. However the tokens issued by > > keycloak to the apiman UI do have an expiration. You could try > logging > > into the keycloak auth admin UI and increasing the lifespan of > the tokens. > > > > Any more details you can provide would be great. > > > > -Eric > > > > On 8/10/2015 8:56 AM, Fadi Abdin wrote: > >> I keep getting occasional "Token is not active." on they > keycloak side > >> occasionally . its really frustrating , i cant figure out what could > >> cause this to happen. everything seems correct. > >> > >> Is there caching between API Man and Keycloak i can turn off ? Have > >> anyone seeen this behavior ? > >> > >> Thanks, > >> Fadi > >> Express.com > >> > >> > >> _______________________________________________ > >> Apiman-user mailing list > >> Apiman-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/apiman-user > >> > > _______________________________________________ > > Apiman-user mailing list > > Apiman-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From 00hf11 at gmail.com Wed Aug 12 15:40:12 2015 From: 00hf11 at gmail.com (Helio Frota) Date: Wed, 12 Aug 2015 16:40:12 -0300 Subject: [Apiman-user] Token is not active. In-Reply-To: <55CBA039.8040509@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CBA039.8040509@redhat.com> Message-ID: Is this something you can reproduce? Or just something that happened once? unfortunately no. just once. What did you experience when this occurred? Did you get sent to the login page? Did you get a blank page? Error in the UI? nothing, just navigating , clicking etc.. no blank page or error in the UI. On Wed, Aug 12, 2015 at 4:36 PM, Eric Wittmann wrote: > Is this something you can reproduce? Or just something that happened once? > > What did you experience when this occurred? Did you get sent to the login > page? Did you get a blank page? Error in the UI? > > -Eric > > On 8/12/2015 3:23 PM, Helio Frota wrote: > >> hi all , >> >> I get this one too. >> >> I don't know if i clicked on some button or link or just error arise >> from another dimension. >> >> *16:06:37,817 INFO* [stdout] (default task-59) Updated plan: PlanBean >> [organization=OrganizationBean [id=HeavyMetalOrg, name=HeavyMetalOrg, >> description=The Heavy Metal Universe, createdBy=admin, >> createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, >> modifiedOn=2015-08-12 15:57:02.829], id=soundsLikeAPlan, >> name=soundsLikeAPlan, description=454test, createdBy=admin, >> createdOn=2015-08-12 15:59:41.355] >> *16:07:56,984 INFO* [stdout] (default task-6) Getting info for user admin >> *16:09:27,427 ERROR* >> >> [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default >> task-28) Failed to verify token: org.keycloak.VerificationException: >> Token is not active. >> at >> org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:46) >> [keycloak-core-1.2.0.Final.jar:1.2.0.Final] >> at >> org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16) >> [keycloak-core-1.2.0.Final.jar:1.2.0.Final] >> at >> >> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:67) >> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >> at >> >> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:62) >> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >> at >> >> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:45) >> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >> at >> >> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114) >> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >> at >> >> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94) >> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >> at >> >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) >> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [rt.jar:1.8.0_45] >> at >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [rt.jar:1.8.0_45] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] >> >> >> >> >> >> On Tue, Aug 11, 2015 at 5:16 AM, Marc Savy > > wrote: >> >> I think this may pertain to the Keycloak OAuth2 token. In which case, >> I >> provided Fadi with a version containing additional logging to see if >> we >> could track the issue down. >> >> It's not an issue I've ever been able to replicate, and we don't >> fiddle >> with the token data in any way, so I don't really see how we could >> affect things. >> >> My only suggestions are to ensure that time is accurate on all of the >> systems (NTP, Chronyd, etc), and I believe this has already been done. >> >> On 10/08/2015 18:00, Eric Wittmann wrote: >> > How often does this occur? What is the result? >> > >> > I assume this is triggering a re-login in the UI? >> > >> > There is no caching on the apiman side. However the tokens issued >> by >> > keycloak to the apiman UI do have an expiration. You could try >> logging >> > into the keycloak auth admin UI and increasing the lifespan of >> the tokens. >> > >> > Any more details you can provide would be great. >> > >> > -Eric >> > >> > On 8/10/2015 8:56 AM, Fadi Abdin wrote: >> >> I keep getting occasional "Token is not active." on they >> keycloak side >> >> occasionally . its really frustrating , i cant figure out what >> could >> >> cause this to happen. everything seems correct. >> >> >> >> Is there caching between API Man and Keycloak i can turn off ? >> Have >> >> anyone seeen this behavior ? >> >> >> >> Thanks, >> >> Fadi >> >> Express.com >> >> >> >> >> >> _______________________________________________ >> >> Apiman-user mailing list >> >> Apiman-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> > _______________________________________________ >> > Apiman-user mailing list >> > Apiman-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/apiman-user >> > >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150812/963e4fbc/attachment-0001.html From 00hf11 at gmail.com Wed Aug 12 15:46:14 2015 From: 00hf11 at gmail.com (Helio Frota) Date: Wed, 12 Aug 2015 16:46:14 -0300 Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CBA039.8040509@redhat.com> Message-ID: *16:07:56,984 INFO* [stdout] (default task-6) Getting info for user admin *16:09:27,427 ERROR* [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-28) Failed to verify token: org.keycloak. almost 2 min of inactivity.. but i did a try with more minutes and no errors ... *16:36*:09,869 INFO [stdout] (default task-8) Got organization HeavyMetalOrg: OrganizationBean [id=HeavyMetalOrg, name=HeavyMetalOrg, description=The Heavy Metal Universe, createdBy=admin, createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, modifiedOn=2015-08-12 15:57:02.829] *16:42*:06,805 INFO [stdout] (default task-9) Getting info for user admin On Wed, Aug 12, 2015 at 4:40 PM, Helio Frota <00hf11 at gmail.com> wrote: > Is this something you can reproduce? Or just something that happened once? > > unfortunately no. just once. > > What did you experience when this occurred? Did you get sent to the login > page? Did you get a blank page? Error in the UI? > > nothing, just navigating , clicking etc.. no blank page or error in the UI. > > > > > > > > > On Wed, Aug 12, 2015 at 4:36 PM, Eric Wittmann > wrote: > >> Is this something you can reproduce? Or just something that happened >> once? >> >> What did you experience when this occurred? Did you get sent to the >> login page? Did you get a blank page? Error in the UI? >> >> -Eric >> >> On 8/12/2015 3:23 PM, Helio Frota wrote: >> >>> hi all , >>> >>> I get this one too. >>> >>> I don't know if i clicked on some button or link or just error arise >>> from another dimension. >>> >>> *16:06:37,817 INFO* [stdout] (default task-59) Updated plan: PlanBean >>> [organization=OrganizationBean [id=HeavyMetalOrg, name=HeavyMetalOrg, >>> description=The Heavy Metal Universe, createdBy=admin, >>> createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, >>> modifiedOn=2015-08-12 15:57:02.829], id=soundsLikeAPlan, >>> name=soundsLikeAPlan, description=454test, createdBy=admin, >>> createdOn=2015-08-12 15:59:41.355] >>> *16:07:56,984 INFO* [stdout] (default task-6) Getting info for user >>> admin >>> *16:09:27,427 ERROR* >>> >>> [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default >>> task-28) Failed to verify token: org.keycloak.VerificationException: >>> Token is not active. >>> at >>> org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:46) >>> [keycloak-core-1.2.0.Final.jar:1.2.0.Final] >>> at >>> org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16) >>> [keycloak-core-1.2.0.Final.jar:1.2.0.Final] >>> at >>> >>> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:67) >>> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >>> at >>> >>> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:62) >>> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >>> at >>> >>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:45) >>> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >>> at >>> >>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114) >>> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >>> at >>> >>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94) >>> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >>> at >>> >>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) >>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) >>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) >>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) >>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) >>> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) >>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) >>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) >>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) >>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >>> at >>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) >>> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >>> at >>> >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> [rt.jar:1.8.0_45] >>> at >>> >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> [rt.jar:1.8.0_45] >>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] >>> >>> >>> >>> >>> >>> On Tue, Aug 11, 2015 at 5:16 AM, Marc Savy >> > wrote: >>> >>> I think this may pertain to the Keycloak OAuth2 token. In which >>> case, I >>> provided Fadi with a version containing additional logging to see if >>> we >>> could track the issue down. >>> >>> It's not an issue I've ever been able to replicate, and we don't >>> fiddle >>> with the token data in any way, so I don't really see how we could >>> affect things. >>> >>> My only suggestions are to ensure that time is accurate on all of the >>> systems (NTP, Chronyd, etc), and I believe this has already been >>> done. >>> >>> On 10/08/2015 18:00, Eric Wittmann wrote: >>> > How often does this occur? What is the result? >>> > >>> > I assume this is triggering a re-login in the UI? >>> > >>> > There is no caching on the apiman side. However the tokens >>> issued by >>> > keycloak to the apiman UI do have an expiration. You could try >>> logging >>> > into the keycloak auth admin UI and increasing the lifespan of >>> the tokens. >>> > >>> > Any more details you can provide would be great. >>> > >>> > -Eric >>> > >>> > On 8/10/2015 8:56 AM, Fadi Abdin wrote: >>> >> I keep getting occasional "Token is not active." on they >>> keycloak side >>> >> occasionally . its really frustrating , i cant figure out what >>> could >>> >> cause this to happen. everything seems correct. >>> >> >>> >> Is there caching between API Man and Keycloak i can turn off ? >>> Have >>> >> anyone seeen this behavior ? >>> >> >>> >> Thanks, >>> >> Fadi >>> >> Express.com >>> >> >>> >> >>> >> _______________________________________________ >>> >> Apiman-user mailing list >>> >> Apiman-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/apiman-user >>> >> >>> > _______________________________________________ >>> > Apiman-user mailing list >>> > Apiman-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/apiman-user >>> > >>> >>> _______________________________________________ >>> Apiman-user mailing list >>> Apiman-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/apiman-user >>> >>> >>> >>> >>> _______________________________________________ >>> Apiman-user mailing list >>> Apiman-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/apiman-user >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150812/2ae7003f/attachment.html From eric.wittmann at redhat.com Thu Aug 13 07:57:33 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Thu, 13 Aug 2015 07:57:33 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CBA039.8040509@redhat.com>

Message-ID: <55CC862D.1000100@redhat.com> In all these cases the UI kept working OK? Did you ever get any sort of failure in the UI? Example: missing data, page load failure, etc? -Eric On 8/12/2015 3:46 PM, Helio Frota wrote: > *16:07:56,984 INFO* [stdout] (default task-6) Getting info for user admin > *16:09:27,427 ERROR* > [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default > task-28) Failed to verify token: org.keycloak. > > almost 2 min of inactivity.. > > but i did a try with more minutes and no errors ... > > *16:36*:09,869 INFO [stdout] (default task-8) Got organization > HeavyMetalOrg: OrganizationBean [id=HeavyMetalOrg, name=HeavyMetalOrg, > description=The Heavy Metal Universe, createdBy=admin, > createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, > modifiedOn=2015-08-12 15:57:02.829] > *16:42*:06,805 INFO [stdout] (default task-9) Getting info for user admin > > > > On Wed, Aug 12, 2015 at 4:40 PM, Helio Frota <00hf11 at gmail.com > > wrote: > > Is this something you can reproduce? Or just something that > happened once? > > unfortunately no. just once. > > What did you experience when this occurred? Did you get sent to the > login page? Did you get a blank page? Error in the UI? > > nothing, just navigating , clicking etc.. no blank page or error in > the UI. > > > > > > > > > On Wed, Aug 12, 2015 at 4:36 PM, Eric Wittmann > > wrote: > > Is this something you can reproduce? Or just something that > happened once? > > What did you experience when this occurred? Did you get sent to > the login page? Did you get a blank page? Error in the UI? > > -Eric > > On 8/12/2015 3:23 PM, Helio Frota wrote: > > hi all , > > I get this one too. > > I don't know if i clicked on some button or link or just > error arise > from another dimension. > > *16:06:37,817 INFO* [stdout] (default task-59) Updated > plan: PlanBean > [organization=OrganizationBean [id=HeavyMetalOrg, > name=HeavyMetalOrg, > description=The Heavy Metal Universe, createdBy=admin, > createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, > modifiedOn=2015-08-12 15:57:02.829], id=soundsLikeAPlan, > name=soundsLikeAPlan, description=454test, createdBy=admin, > createdOn=2015-08-12 15:59:41.355] > *16:07:56,984 INFO* [stdout] (default task-6) Getting info > for user admin > *16:09:27,427 ERROR* > > [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default > task-28) Failed to verify token: > org.keycloak.VerificationException: > Token is not active. > at > org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:46) > [keycloak-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16) > [keycloak-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:67) > [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:62) > [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:45) > [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114) > [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94) > [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [rt.jar:1.8.0_45] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [rt.jar:1.8.0_45] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > > > > > > On Tue, Aug 11, 2015 at 5:16 AM, Marc Savy > > >> > wrote: > > I think this may pertain to the Keycloak OAuth2 token. > In which case, I > provided Fadi with a version containing additional > logging to see if we > could track the issue down. > > It's not an issue I've ever been able to replicate, and > we don't fiddle > with the token data in any way, so I don't really see > how we could > affect things. > > My only suggestions are to ensure that time is accurate > on all of the > systems (NTP, Chronyd, etc), and I believe this has > already been done. > > On 10/08/2015 18:00, Eric Wittmann wrote: > > How often does this occur? What is the result? > > > > I assume this is triggering a re-login in the UI? > > > > There is no caching on the apiman side. However the > tokens issued by > > keycloak to the apiman UI do have an expiration. > You could try > logging > > into the keycloak auth admin UI and increasing the > lifespan of > the tokens. > > > > Any more details you can provide would be great. > > > > -Eric > > > > On 8/10/2015 8:56 AM, Fadi Abdin wrote: > >> I keep getting occasional "Token is not active." on > they > keycloak side > >> occasionally . its really frustrating , i cant > figure out what could > >> cause this to happen. everything seems correct. > >> > >> Is there caching between API Man and Keycloak i can > turn off ? Have > >> anyone seeen this behavior ? > >> > >> Thanks, > >> Fadi > >> Express.com > >> > >> > >> _______________________________________________ > >> Apiman-user mailing list > >> Apiman-user at lists.jboss.org > >

> > >> https://lists.jboss.org/mailman/listinfo/apiman-user > >> > > _______________________________________________ > > Apiman-user mailing list > > Apiman-user at lists.jboss.org > >

> > > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > >

> > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From marc.savy at redhat.com Thu Aug 13 08:12:10 2015 From: marc.savy at redhat.com (Marc Savy) Date: Thu, 13 Aug 2015 13:12:10 +0100 Subject: [Apiman-user] Token is not active. In-Reply-To: <55CC862D.1000100@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CBA039.8040509@redhat.com>

<55CC862D.1000100@redhat.com> Message-ID: <55CC899A.5090308@redhat.com> Hi, I wonder if this is a manifestation of an old bug that was seen on LiveOak: https://issues.jboss.org/browse/LIVEOAK-579 - it looks remarkably similar in character. You can see the relevant source code for the token here: https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/JsonWebToken.java#L84 You can see it's not very complex. So I'll be surprised if the problem is with that side of things - but perhaps. In the past I made a custom version of the keycloak plugin with additional logging. I've updated it, and you can build it below. In the case of the error it'll print out a bunch of information about the token which may help us diagnose the issue (on your gateway machine): git clone https://github.com/msavy/apiman-plugins.git cd apiman-plugins/ git checkout -b keycloak-logging origin/keycloak-logging mvn clean install Now you should be able to load up this 1.1.6-SNAPSHOT version of the plugin and try it out. Regards, Marc On 13/08/2015 12:57, Eric Wittmann wrote: > In all these cases the UI kept working OK? Did you ever get any sort of > failure in the UI? Example: missing data, page load failure, etc? > > -Eric > > On 8/12/2015 3:46 PM, Helio Frota wrote: >> *16:07:56,984 INFO* [stdout] (default task-6) Getting info for user admin >> *16:09:27,427 ERROR* >> [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default >> task-28) Failed to verify token: org.keycloak. >> >> almost 2 min of inactivity.. >> >> but i did a try with more minutes and no errors ... >> >> *16:36*:09,869 INFO [stdout] (default task-8) Got organization >> HeavyMetalOrg: OrganizationBean [id=HeavyMetalOrg, name=HeavyMetalOrg, >> description=The Heavy Metal Universe, createdBy=admin, >> createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, >> modifiedOn=2015-08-12 15:57:02.829] >> *16:42*:06,805 INFO [stdout] (default task-9) Getting info for user admin >> >> >> >> On Wed, Aug 12, 2015 at 4:40 PM, Helio Frota <00hf11 at gmail.com >> > wrote: >> >> Is this something you can reproduce? Or just something that >> happened once? >> >> unfortunately no. just once. >> >> What did you experience when this occurred? Did you get sent to the >> login page? Did you get a blank page? Error in the UI? >> >> nothing, just navigating , clicking etc.. no blank page or error in >> the UI. >> >> >> >> >> >> >> >> >> On Wed, Aug 12, 2015 at 4:36 PM, Eric Wittmann >> > wrote: >> >> Is this something you can reproduce? Or just something that >> happened once? >> >> What did you experience when this occurred? Did you get sent to >> the login page? Did you get a blank page? Error in the UI? >> >> -Eric >> >> On 8/12/2015 3:23 PM, Helio Frota wrote: >> >> hi all , >> >> I get this one too. >> >> I don't know if i clicked on some button or link or just >> error arise >> from another dimension. >> >> *16:06:37,817 INFO* [stdout] (default task-59) Updated >> plan: PlanBean >> [organization=OrganizationBean [id=HeavyMetalOrg, >> name=HeavyMetalOrg, >> description=The Heavy Metal Universe, createdBy=admin, >> createdOn=2015-08-12 15:57:02.829, modifiedBy=admin, >> modifiedOn=2015-08-12 15:57:02.829], id=soundsLikeAPlan, >> name=soundsLikeAPlan, description=454test, createdBy=admin, >> createdOn=2015-08-12 15:59:41.355] >> *16:07:56,984 INFO* [stdout] (default task-6) Getting info >> for user admin >> *16:09:27,427 ERROR* >> >> [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default >> task-28) Failed to verify token: >> org.keycloak.VerificationException: >> Token is not active. >> at >> org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:46) >> [keycloak-core-1.2.0.Final.jar:1.2.0.Final] >> at >> org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16) >> [keycloak-core-1.2.0.Final.jar:1.2.0.Final] >> at >> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:67) >> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >> at >> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:62) >> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >> at >> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:45) >> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final] >> at >> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114) >> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >> at >> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94) >> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) >> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final] >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [rt.jar:1.8.0_45] >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [rt.jar:1.8.0_45] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] >> >> >> >> >> >> On Tue, Aug 11, 2015 at 5:16 AM, Marc Savy >> >> >> >> wrote: >> >> I think this may pertain to the Keycloak OAuth2 token. >> In which case, I >> provided Fadi with a version containing additional >> logging to see if we >> could track the issue down. >> >> It's not an issue I've ever been able to replicate, and >> we don't fiddle >> with the token data in any way, so I don't really see >> how we could >> affect things. >> >> My only suggestions are to ensure that time is accurate >> on all of the >> systems (NTP, Chronyd, etc), and I believe this has >> already been done. >> >> On 10/08/2015 18:00, Eric Wittmann wrote: >> > How often does this occur? What is the result? >> > >> > I assume this is triggering a re-login in the UI? >> > >> > There is no caching on the apiman side. However the >> tokens issued by >> > keycloak to the apiman UI do have an expiration. >> You could try >> logging >> > into the keycloak auth admin UI and increasing the >> lifespan of >> the tokens. >> > >> > Any more details you can provide would be great. >> > >> > -Eric >> > >> > On 8/10/2015 8:56 AM, Fadi Abdin wrote: >> >> I keep getting occasional "Token is not active." on >> they >> keycloak side >> >> occasionally . its really frustrating , i cant >> figure out what could >> >> cause this to happen. everything seems correct. >> >> >> >> Is there caching between API Man and Keycloak i can >> turn off ? Have >> >> anyone seeen this behavior ? >> >> >> >> Thanks, >> >> Fadi >> >> Express.com >> >> >> >> >> >> _______________________________________________ >> >> Apiman-user mailing list >> >> Apiman-user at lists.jboss.org >> >> > > >> >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> > _______________________________________________ >> > Apiman-user mailing list >> > Apiman-user at lists.jboss.org >> >> > > >> > https://lists.jboss.org/mailman/listinfo/apiman-user >> > >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> >> > > >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From 00hf11 at gmail.com Thu Aug 13 08:12:17 2015 From: 00hf11 at gmail.com (Helio Frota) Date: Thu, 13 Aug 2015 09:12:17 -0300 Subject: [Apiman-user] Token is not active. In-Reply-To: <55CC862D.1000100@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CBA039.8040509@redhat.com>

<55CC862D.1000100@redhat.com> Message-ID: In all these cases the UI kept working OK? Yes. Did you ever get any sort of failure in the UI? No. Example: missing data, page load failure, etc? No. nothing, I don't remember if i clicked on some button or link , or just the stack trace arise by doing nothing. Trying to catch this again ( i have no idea how, but trying ) For now, I noticed that from time to time this is executed: GET http://localhost:8080/apimanui/rest/tokenRefresh 200 OK apiman [9:04:28 AM]>> Bearer token successfully refreshed: { "token": "eyJhbG ... long token here", "refreshPeriod": 240 } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150813/f355d210/attachment.html From 00hf11 at gmail.com Thu Aug 13 08:20:04 2015 From: 00hf11 at gmail.com (Helio Frota) Date: Thu, 13 Aug 2015 09:20:04 -0300 Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CBA039.8040509@redhat.com>

<55CC862D.1000100@redhat.com> Message-ID: Hi Marc Savy , Thanks for the information. Yes, looks similar to the liveoak old bug. On Thu, Aug 13, 2015 at 9:12 AM, Helio Frota <00hf11 at gmail.com> wrote: > In all these cases the UI kept working OK? > > Yes. > > Did you ever get any sort of failure in the UI? > > No. > > Example: missing data, page load failure, etc? > > No. nothing, I don't remember if i clicked on some button or link , or > just the stack trace arise by doing nothing. > > Trying to catch this again ( i have no idea how, but trying ) > > For now, I noticed that from time to time this is executed: > > GET http://localhost:8080/apimanui/rest/tokenRefresh > 200 OK > > apiman [9:04:28 AM]>> Bearer token successfully refreshed: { > "token": "eyJhbG ... long token here", > "refreshPeriod": 240 > } > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150813/318f5e5f/attachment.html From marc.savy at redhat.com Thu Aug 13 08:23:10 2015 From: marc.savy at redhat.com (Marc Savy) Date: Thu, 13 Aug 2015 13:23:10 +0100 Subject: [Apiman-user] Token is not active. In-Reply-To: References: Message-ID: <55CC8C2E.9010405@redhat.com> Hi Fadi, Are you referring to the Keycloak OAuth2 policy or the apiman UI? If it's the former, then please refer to my other post in this thread in which I've included a version with additional logging for you to use. Regards, Marc On 10/08/2015 13:56, Fadi Abdin wrote: > I keep getting occasional "Token is not active." on they keycloak side > occasionally . its really frustrating , i cant figure out what could > cause this to happen. everything seems correct. > > Is there caching between API Man and Keycloak i can turn off ? Have > anyone seeen this behavior ? > > Thanks, > Fadi > Express.com > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From eric.wittmann at redhat.com Thu Aug 13 08:24:31 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Thu, 13 Aug 2015 08:24:31 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CBA039.8040509@redhat.com>

<55CC862D.1000100@redhat.com> Message-ID: <55CC8C7F.2070800@redhat.com> OK so everything works but you sometimes see a stack trace. The stack trace is coming from the keycloak auth adapter. As long as everything else still works, I'd be inclined to either ignore it or report it to keycloak. Periodic calls to http://localhost:8080/apimanui/rest/tokenRefresh are expected. This is done to obtain a new auth token that can be used to make authenticated calls to the API Manager REST layer (from the UI). The auth token issued by keycloak expires after 2 minutes. -Eric On 8/13/2015 8:12 AM, Helio Frota wrote: > In all these cases the UI kept working OK? > > Yes. > > Did you ever get any sort of failure in the UI? > > No. > > Example: missing data, page load failure, etc? > > No. nothing, I don't remember if i clicked on some button or link , or > just the stack trace arise by doing nothing. > > Trying to catch this again ( i have no idea how, but trying ) > > For now, I noticed that from time to time this is executed: > > GET http://localhost:8080/apimanui/rest/tokenRefresh > 200 OK > > apiman [9:04:28 AM]>> Bearer token successfully refreshed: { > "token": "eyJhbG ... long token here", > "refreshPeriod": 240 > } > > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From 00hf11 at gmail.com Thu Aug 13 08:33:56 2015 From: 00hf11 at gmail.com (Helio Frota) Date: Thu, 13 Aug 2015 09:33:56 -0300 Subject: [Apiman-user] Token is not active. In-Reply-To: <55CC8C7F.2070800@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CBA039.8040509@redhat.com>

<55CC862D.1000100@redhat.com> <55CC8C7F.2070800@redhat.com> Message-ID: OK so everything works but you sometimes see a stack trace. The stack trace is coming from the keycloak auth adapter. As long as everything else still works, I'd be inclined to either ignore it or report it to keycloak. Yes, you right. Thanks again for all information. On Thu, Aug 13, 2015 at 9:24 AM, Eric Wittmann wrote: > OK so everything works but you sometimes see a stack trace. The stack > trace is coming from the keycloak auth adapter. As long as everything else > still works, I'd be inclined to either ignore it or report it to keycloak. > > Periodic calls to http://localhost:8080/apimanui/rest/tokenRefresh are > expected. This is done to obtain a new auth token that can be used to make > authenticated calls to the API Manager REST layer (from the UI). The auth > token issued by keycloak expires after 2 minutes. > > -Eric > > > On 8/13/2015 8:12 AM, Helio Frota wrote: > >> In all these cases the UI kept working OK? >> >> Yes. >> >> Did you ever get any sort of failure in the UI? >> >> No. >> >> Example: missing data, page load failure, etc? >> >> No. nothing, I don't remember if i clicked on some button or link , or >> just the stack trace arise by doing nothing. >> >> Trying to catch this again ( i have no idea how, but trying ) >> >> For now, I noticed that from time to time this is executed: >> >> GET http://localhost:8080/apimanui/rest/tokenRefresh >> 200 OK >> >> apiman [9:04:28 AM]>> Bearer token successfully refreshed: { >> "token": "eyJhbG ... long token here", >> "refreshPeriod": 240 >> } >> >> >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150813/533f9bc2/attachment.html From fadiabdeen at gmail.com Thu Aug 13 11:52:10 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Thu, 13 Aug 2015 11:52:10 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: <55C9AF70.2030501@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> Message-ID: Marc / Eric, Thank you for your help in the past , i really appreciate it . but my issue did not get resolved yet . My Application is really simple , i get a token from keycloak and use that token call API MAN services . When the application is fresh installed , this problem does not happened often , but once many users using it and over time , it will start rejecting tokens with the "Token is not active" message . for example if my service is on https://myserver.com/api-gateway/myservice i pass a token like with an access_token parameter https://myserver.com/api-gateway/myservice?access_token= some time it return a value and some times not . i'm always using a new browser , so its not the cashing. The only way to solve the issue is to restart keycloak/apiman , seems they back in sync . It started a small problem with dev , but now its expanding because our product with the QA people and this escalating .. Is there a way you guys can help us a little more ? is there a paid support ? Thanks, On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy wrote: > I think this may pertain to the Keycloak OAuth2 token. In which case, I > provided Fadi with a version containing additional logging to see if we > could track the issue down. > > It's not an issue I've ever been able to replicate, and we don't fiddle > with the token data in any way, so I don't really see how we could > affect things. > > My only suggestions are to ensure that time is accurate on all of the > systems (NTP, Chronyd, etc), and I believe this has already been done. > > > On 10/08/2015 18:00, Eric Wittmann wrote: > >> How often does this occur? What is the result? >> >> I assume this is triggering a re-login in the UI? >> >> There is no caching on the apiman side. However the tokens issued by >> keycloak to the apiman UI do have an expiration. You could try logging >> into the keycloak auth admin UI and increasing the lifespan of the tokens. >> >> Any more details you can provide would be great. >> >> -Eric >> >> On 8/10/2015 8:56 AM, Fadi Abdin wrote: >> >>> I keep getting occasional "Token is not active." on they keycloak side >>> occasionally . its really frustrating , i cant figure out what could >>> cause this to happen. everything seems correct. >>> >>> Is there caching between API Man and Keycloak i can turn off ? Have >>> anyone seeen this behavior ? >>> >>> Thanks, >>> Fadi >>> Express.com >>> >>> >>> _______________________________________________ >>> Apiman-user mailing list >>> Apiman-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/apiman-user >>> >>> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150813/1f370b40/attachment.html From eric.wittmann at redhat.com Thu Aug 13 13:20:14 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Thu, 13 Aug 2015 13:20:14 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> Message-ID: <55CCD1CE.9010705@redhat.com> Fadi - we definitely do want to get to the bottom of this, so are happy to do what we can to help. Hopefully Marc's version of the OAuth2 plugin will help generate some information we can use to track down the problem. Can you please open a JIRA for this issue? And please include as much information as you can, for example: * Version of apiman * Version of OAuth2 plugin * Setup/configuration (example: is Keycloak on a separate server?) * Any other environmental information you think might be relevant Having a JIRA issue will help us keep track of our progress on this issue. -Eric On 8/13/2015 11:52 AM, Fadi Abdin wrote: > Marc / Eric, > > Thank you for your help in the past , i really appreciate it . but my > issue did not get resolved yet . > > My Application is really simple , i get a token from keycloak and use > that token call API MAN services . > > When the application is fresh installed , this problem does not happened > often , but once many users using it and over time , it will start > rejecting tokens with the "Token is not active" message . > > for example if my service is on > https://myserver.com/api-gateway/myservice i pass a token like with an > access_token parameter > > https://myserver.com/api-gateway/myservice?access_token= > some time it return a value and some times not . i'm always using a new > browser , so its not the cashing. > > The only way to solve the issue is to restart keycloak/apiman , seems > they back in sync . > > It started a small problem with dev , but now its expanding because our > product with the QA people and this escalating .. Is there a way you > guys can help us a little more ? is there a paid support ? > > Thanks, > > > > On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy > wrote: > > I think this may pertain to the Keycloak OAuth2 token. In which case, I > provided Fadi with a version containing additional logging to see if we > could track the issue down. > > It's not an issue I've ever been able to replicate, and we don't fiddle > with the token data in any way, so I don't really see how we could > affect things. > > My only suggestions are to ensure that time is accurate on all of the > systems (NTP, Chronyd, etc), and I believe this has already been done. > > > On 10/08/2015 18:00, Eric Wittmann wrote: > > How often does this occur? What is the result? > > I assume this is triggering a re-login in the UI? > > There is no caching on the apiman side. However the tokens > issued by > keycloak to the apiman UI do have an expiration. You could try > logging > into the keycloak auth admin UI and increasing the lifespan of > the tokens. > > Any more details you can provide would be great. > > -Eric > > On 8/10/2015 8:56 AM, Fadi Abdin wrote: > > I keep getting occasional "Token is not active." on they > keycloak side > occasionally . its really frustrating , i cant figure out > what could > cause this to happen. everything seems correct. > > Is there caching between API Man and Keycloak i can turn off > ? Have > anyone seeen this behavior ? > > Thanks, > Fadi > Express.com > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > > > From fadiabdeen at gmail.com Fri Aug 14 11:47:21 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Fri, 14 Aug 2015 11:47:21 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: <55CCD1CE.9010705@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CCD1CE.9010705@redhat.com> Message-ID: I'm FINALLY ready to write a jira ticket , i think i'm able to identify the what is happening The logs coming in the policy prints the token information, I was surprised to find that sometimes the token being sent is NOT the correct token I sent to APIMan, Example, If I hit a service with a token A , it prints the token B . Token A is my token which is valid and i just got it , But token B is NOT even mine and is expired from yesterday. And this make sense to work after a restart , because it flushes all the tokens and start fresh. If there is a quick way to fix it , flush the tokens or whatever please let me know . I'm going to file a jira ticket , but i need things to work asap because we are in QA now and going to production soon. On Thu, Aug 13, 2015 at 1:20 PM, Eric Wittmann wrote: > Fadi - we definitely do want to get to the bottom of this, so are happy to > do what we can to help. > > Hopefully Marc's version of the OAuth2 plugin will help generate some > information we can use to track down the problem. > > Can you please open a JIRA for this issue? And please include as much > information as you can, for example: > > * Version of apiman > * Version of OAuth2 plugin > * Setup/configuration (example: is Keycloak on a separate server?) > * Any other environmental information you think might be relevant > > Having a JIRA issue will help us keep track of our progress on this issue. > > -Eric > > On 8/13/2015 11:52 AM, Fadi Abdin wrote: > >> Marc / Eric, >> >> Thank you for your help in the past , i really appreciate it . but my >> issue did not get resolved yet . >> >> My Application is really simple , i get a token from keycloak and use >> that token call API MAN services . >> >> When the application is fresh installed , this problem does not happened >> often , but once many users using it and over time , it will start >> rejecting tokens with the "Token is not active" message . >> >> for example if my service is on >> https://myserver.com/api-gateway/myservice i pass a token like with an >> access_token parameter >> >> https://myserver.com/api-gateway/myservice?access_token= >> some time it return a value and some times not . i'm always using a new >> browser , so its not the cashing. >> >> The only way to solve the issue is to restart keycloak/apiman , seems >> they back in sync . >> >> It started a small problem with dev , but now its expanding because our >> product with the QA people and this escalating .. Is there a way you >> guys can help us a little more ? is there a paid support ? >> >> Thanks, >> >> >> >> On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy > > wrote: >> >> I think this may pertain to the Keycloak OAuth2 token. In which case, >> I >> provided Fadi with a version containing additional logging to see if >> we >> could track the issue down. >> >> It's not an issue I've ever been able to replicate, and we don't >> fiddle >> with the token data in any way, so I don't really see how we could >> affect things. >> >> My only suggestions are to ensure that time is accurate on all of the >> systems (NTP, Chronyd, etc), and I believe this has already been done. >> >> >> On 10/08/2015 18:00, Eric Wittmann wrote: >> >> How often does this occur? What is the result? >> >> I assume this is triggering a re-login in the UI? >> >> There is no caching on the apiman side. However the tokens >> issued by >> keycloak to the apiman UI do have an expiration. You could try >> logging >> into the keycloak auth admin UI and increasing the lifespan of >> the tokens. >> >> Any more details you can provide would be great. >> >> -Eric >> >> On 8/10/2015 8:56 AM, Fadi Abdin wrote: >> >> I keep getting occasional "Token is not active." on they >> keycloak side >> occasionally . its really frustrating , i cant figure out >> what could >> cause this to happen. everything seems correct. >> >> Is there caching between API Man and Keycloak i can turn off >> ? Have >> anyone seeen this behavior ? >> >> Thanks, >> Fadi >> Express.com >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org > Apiman-user at lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150814/62e0b97c/attachment-0001.html From marc.savy at redhat.com Fri Aug 14 12:08:34 2015 From: marc.savy at redhat.com (Marc Savy) Date: Fri, 14 Aug 2015 17:08:34 +0100 Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CCD1CE.9010705@redhat.com> Message-ID: <55CE1282.9090605@redhat.com> Hi Fadi, Will be happy to investigate. Could you try another test for me, please? Instead of setting the query parameter access_token, can you please instead use the Authorization header? This is a bit more resistant to some weirder forms of caching that might be going on in your pipeline. Authorization: Bearer Do *not* set the access_token query param. In cURL you can do this by putting: curl -v -H "Authorization: Bearer " Regards, Marc On 14/08/2015 16:47, Fadi Abdin wrote: > I'm FINALLY ready to write a jira ticket , i think i'm able to identify > the what is happening > > The logs coming in the policy prints the token information, I was > surprised to find that sometimes the token being sent is NOT the correct > token I sent to APIMan, > > Example, If I hit a service with a token A , it prints the token B . > Token A is my token which is valid and i just got it , But token B is > NOT even mine and is expired from yesterday. > > And this make sense to work after a restart , because it flushes all the > tokens and start fresh. > > If there is a quick way to fix it , flush the tokens or whatever please > let me know . > I'm going to file a jira ticket , but i need things to work asap because > we are in QA now and going to production soon. > > > > On Thu, Aug 13, 2015 at 1:20 PM, Eric Wittmann > wrote: > > Fadi - we definitely do want to get to the bottom of this, so are > happy to do what we can to help. > > Hopefully Marc's version of the OAuth2 plugin will help generate > some information we can use to track down the problem. > > Can you please open a JIRA for this issue? And please include as > much information as you can, for example: > > * Version of apiman > * Version of OAuth2 plugin > * Setup/configuration (example: is Keycloak on a separate server?) > * Any other environmental information you think might be relevant > > Having a JIRA issue will help us keep track of our progress on this > issue. > > -Eric > > On 8/13/2015 11:52 AM, Fadi Abdin wrote: > > Marc / Eric, > > Thank you for your help in the past , i really appreciate it . > but my > issue did not get resolved yet . > > My Application is really simple , i get a token from keycloak > and use > that token call API MAN services . > > When the application is fresh installed , this problem does not > happened > often , but once many users using it and over time , it will start > rejecting tokens with the "Token is not active" message . > > for example if my service is on > https://myserver.com/api-gateway/myservice i pass a token like > with an > access_token parameter > > https://myserver.com/api-gateway/myservice?access_token= value> > some time it return a value and some times not . i'm always > using a new > browser , so its not the cashing. > > The only way to solve the issue is to restart keycloak/apiman , > seems > they back in sync . > > It started a small problem with dev , but now its expanding > because our > product with the QA people and this escalating .. Is there a way you > guys can help us a little more ? is there a paid support ? > > Thanks, > > > > On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy > >> wrote: > > I think this may pertain to the Keycloak OAuth2 token. In > which case, I > provided Fadi with a version containing additional logging > to see if we > could track the issue down. > > It's not an issue I've ever been able to replicate, and we > don't fiddle > with the token data in any way, so I don't really see how > we could > affect things. > > My only suggestions are to ensure that time is accurate on > all of the > systems (NTP, Chronyd, etc), and I believe this has already > been done. > > > On 10/08/2015 18:00, Eric Wittmann wrote: > > How often does this occur? What is the result? > > I assume this is triggering a re-login in the UI? > > There is no caching on the apiman side. However the tokens > issued by > keycloak to the apiman UI do have an expiration. You > could try > logging > into the keycloak auth admin UI and increasing the > lifespan of > the tokens. > > Any more details you can provide would be great. > > -Eric > > On 8/10/2015 8:56 AM, Fadi Abdin wrote: > > I keep getting occasional "Token is not active." on > they > keycloak side > occasionally . its really frustrating , i cant > figure out > what could > cause this to happen. everything seems correct. > > Is there caching between API Man and Keycloak i can > turn off > ? Have > anyone seeen this behavior ? > > Thanks, > Fadi > Express.com > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org >

> > https://lists.jboss.org/mailman/listinfo/apiman-user > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org >

> > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > From eric.wittmann at redhat.com Fri Aug 14 15:24:04 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Fri, 14 Aug 2015 15:24:04 -0400 Subject: [Apiman-user] Announcement: apiman 1.1.6.Final released Message-ID: <55CE4054.10501@redhat.com> What's new in this release? * Quota policy (# of requests) * Transfer quota policy (# of bytes) * URL Rewriting policy * Caching policy (use with care) * Tech Preview: Vert.x 3 Gateway Impl (you'll need to build this yourself to try it!) * Application Metrics * (Optional) Send the Service Version in an HTTP Header instead of in the managed endpoint path Of course we fixed a bunch of bugs too! Have a look at the release notes: https://issues.jboss.org/secure/ReleaseNote.jspa?projectId=12314121&version=12327699 Or as always go to the project site: http://www.apiman.io/ -Eric From kbabo at redhat.com Fri Aug 14 15:40:59 2015 From: kbabo at redhat.com (Keith Babo) Date: Fri, 14 Aug 2015 15:40:59 -0400 Subject: [Apiman-user] [Apiman-dev] Announcement: apiman 1.1.6.Final released In-Reply-To: <55CE4054.10501@redhat.com> References: <55CE4054.10501@redhat.com> Message-ID: <302B402B-B5C5-4423-A8F6-74645A8969BC@redhat.com> Nice! ~ keith > On Aug 14, 2015, at 3:24 PM, Eric Wittmann wrote: > > What's new in this release? > > * Quota policy (# of requests) > * Transfer quota policy (# of bytes) > * URL Rewriting policy > * Caching policy (use with care) > * Tech Preview: Vert.x 3 Gateway Impl (you'll need to build this > yourself to try it!) > * Application Metrics > * (Optional) Send the Service Version in an HTTP Header instead of in > the managed endpoint path > > Of course we fixed a bunch of bugs too! > > Have a look at the release notes: > > https://issues.jboss.org/secure/ReleaseNote.jspa?projectId=12314121&version=12327699 > > Or as always go to the project site: > > http://www.apiman.io/ > > -Eric > _______________________________________________ > Apiman-dev mailing list > Apiman-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-dev From fadiabdeen at gmail.com Fri Aug 14 16:08:19 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Fri, 14 Aug 2015 16:08:19 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: <55CE1282.9090605@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CCD1CE.9010705@redhat.com> <55CE1282.9090605@redhat.com> Message-ID: I was only able to see the problem on the string parameter , but not the bearer token when i use curl. that might do the trick for me after all the struggle. I'm having another problem with Bearer Token and CORS , thats why i'm not using it and it works fine with the parameter .. I'll open another case for this On Fri, Aug 14, 2015 at 12:08 PM, Marc Savy wrote: > Hi Fadi, > > Will be happy to investigate. Could you try another test for me, please? > > Instead of setting the query parameter access_token, can you please > instead use the Authorization header? This is a bit more resistant to some > weirder forms of caching that might be going on in your pipeline. > > Authorization: Bearer > > Do *not* set the access_token query param. > > In cURL you can do this by putting: > > curl -v -H "Authorization: Bearer " > > Regards, > Marc > > On 14/08/2015 16:47, Fadi Abdin wrote: > >> I'm FINALLY ready to write a jira ticket , i think i'm able to identify >> the what is happening >> >> The logs coming in the policy prints the token information, I was >> surprised to find that sometimes the token being sent is NOT the correct >> token I sent to APIMan, >> >> Example, If I hit a service with a token A , it prints the token B . >> Token A is my token which is valid and i just got it , But token B is >> NOT even mine and is expired from yesterday. >> >> And this make sense to work after a restart , because it flushes all the >> tokens and start fresh. >> >> If there is a quick way to fix it , flush the tokens or whatever please >> let me know . >> I'm going to file a jira ticket , but i need things to work asap because >> we are in QA now and going to production soon. >> >> >> >> On Thu, Aug 13, 2015 at 1:20 PM, Eric Wittmann > > wrote: >> >> Fadi - we definitely do want to get to the bottom of this, so are >> happy to do what we can to help. >> >> Hopefully Marc's version of the OAuth2 plugin will help generate >> some information we can use to track down the problem. >> >> Can you please open a JIRA for this issue? And please include as >> much information as you can, for example: >> >> * Version of apiman >> * Version of OAuth2 plugin >> * Setup/configuration (example: is Keycloak on a separate server?) >> * Any other environmental information you think might be relevant >> >> Having a JIRA issue will help us keep track of our progress on this >> issue. >> >> -Eric >> >> On 8/13/2015 11:52 AM, Fadi Abdin wrote: >> >> Marc / Eric, >> >> Thank you for your help in the past , i really appreciate it . >> but my >> issue did not get resolved yet . >> >> My Application is really simple , i get a token from keycloak >> and use >> that token call API MAN services . >> >> When the application is fresh installed , this problem does not >> happened >> often , but once many users using it and over time , it will start >> rejecting tokens with the "Token is not active" message . >> >> for example if my service is on >> https://myserver.com/api-gateway/myservice i pass a token like >> with an >> access_token parameter >> >> https://myserver.com/api-gateway/myservice?access_token=> value> >> some time it return a value and some times not . i'm always >> using a new >> browser , so its not the cashing. >> >> The only way to solve the issue is to restart keycloak/apiman , >> seems >> they back in sync . >> >> It started a small problem with dev , but now its expanding >> because our >> product with the QA people and this escalating .. Is there a way >> you >> guys can help us a little more ? is there a paid support ? >> >> Thanks, >> >> >> >> On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy > >> >> >> wrote: >> >> I think this may pertain to the Keycloak OAuth2 token. In >> which case, I >> provided Fadi with a version containing additional logging >> to see if we >> could track the issue down. >> >> It's not an issue I've ever been able to replicate, and we >> don't fiddle >> with the token data in any way, so I don't really see how >> we could >> affect things. >> >> My only suggestions are to ensure that time is accurate on >> all of the >> systems (NTP, Chronyd, etc), and I believe this has already >> been done. >> >> >> On 10/08/2015 18:00, Eric Wittmann wrote: >> >> How often does this occur? What is the result? >> >> I assume this is triggering a re-login in the UI? >> >> There is no caching on the apiman side. However the >> tokens >> issued by >> keycloak to the apiman UI do have an expiration. You >> could try >> logging >> into the keycloak auth admin UI and increasing the >> lifespan of >> the tokens. >> >> Any more details you can provide would be great. >> >> -Eric >> >> On 8/10/2015 8:56 AM, Fadi Abdin wrote: >> >> I keep getting occasional "Token is not active." on >> they >> keycloak side >> occasionally . its really frustrating , i cant >> figure out >> what could >> cause this to happen. everything seems correct. >> >> Is there caching between API Man and Keycloak i can >> turn off >> ? Have >> anyone seeen this behavior ? >> >> Thanks, >> Fadi >> Express.com >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> > > >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> > > >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150814/89880749/attachment-0001.html From 00hf11 at gmail.com Fri Aug 14 18:46:45 2015 From: 00hf11 at gmail.com (Helio Frota) Date: Fri, 14 Aug 2015 19:46:45 -0300 Subject: [Apiman-user] [Apiman-dev] Announcement: apiman 1.1.6.Final released In-Reply-To: <302B402B-B5C5-4423-A8F6-74645A8969BC@redhat.com> References: <55CE4054.10501@redhat.com> <302B402B-B5C5-4423-A8F6-74645A8969BC@redhat.com> Message-ID: great ! On Fri, Aug 14, 2015 at 4:40 PM, Keith Babo wrote: > Nice! > > ~ keith > > > On Aug 14, 2015, at 3:24 PM, Eric Wittmann > wrote: > > > > What's new in this release? > > > > * Quota policy (# of requests) > > * Transfer quota policy (# of bytes) > > * URL Rewriting policy > > * Caching policy (use with care) > > * Tech Preview: Vert.x 3 Gateway Impl (you'll need to build this > > yourself to try it!) > > * Application Metrics > > * (Optional) Send the Service Version in an HTTP Header instead of in > > the managed endpoint path > > > > Of course we fixed a bunch of bugs too! > > > > Have a look at the release notes: > > > > > https://issues.jboss.org/secure/ReleaseNote.jspa?projectId=12314121&version=12327699 > > > > Or as always go to the project site: > > > > http://www.apiman.io/ > > > > -Eric > > _______________________________________________ > > Apiman-dev mailing list > > Apiman-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/apiman-dev > > > _______________________________________________ > Apiman-dev mailing list > Apiman-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150814/ef1b501d/attachment.html From msavy at redhat.com Sat Aug 15 04:20:21 2015 From: msavy at redhat.com (Marc Savy) Date: Sat, 15 Aug 2015 04:20:21 -0400 (EDT) Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CCD1CE.9010705@redhat.com> <55CE1282.9090605@redhat.com> Message-ID: <1941462689.12911212.1439626821029.JavaMail.zimbra@redhat.com> Your issue with CORS Policy is possibly related to this - https://issues.jboss.org/browse/APIMAN-516 - I'll put that to the top of my list. I tried running a script that did over 250,000 request-response cycles and didn't get any issues with OAuth2 and query parameters. This implies to me that it's a caching issue somewhere in your pipeline, but perhaps I'm not replicating your setup well enough. ----- Original Message ----- From: "Fadi Abdin" To: "Marc Savy" Cc: "apiman-user" Sent: Friday, 14 August, 2015 9:08:19 PM Subject: Re: [Apiman-user] Token is not active. I was only able to see the problem on the string parameter , but not the bearer token when i use curl. that might do the trick for me after all the struggle. I'm having another problem with Bearer Token and CORS , thats why i'm not using it and it works fine with the parameter .. I'll open another case for this On Fri, Aug 14, 2015 at 12:08 PM, Marc Savy < marc.savy at redhat.com > wrote: Hi Fadi, Will be happy to investigate. Could you try another test for me, please? Instead of setting the query parameter access_token, can you please instead use the Authorization header? This is a bit more resistant to some weirder forms of caching that might be going on in your pipeline. Authorization: Bearer Do *not* set the access_token query param. In cURL you can do this by putting: curl -v -H "Authorization: Bearer " Regards, Marc On 14/08/2015 16:47, Fadi Abdin wrote: I'm FINALLY ready to write a jira ticket , i think i'm able to identify the what is happening The logs coming in the policy prints the token information, I was surprised to find that sometimes the token being sent is NOT the correct token I sent to APIMan, Example, If I hit a service with a token A , it prints the token B . Token A is my token which is valid and i just got it , But token B is NOT even mine and is expired from yesterday. And this make sense to work after a restart , because it flushes all the tokens and start fresh. If there is a quick way to fix it , flush the tokens or whatever please let me know . I'm going to file a jira ticket , but i need things to work asap because we are in QA now and going to production soon. On Thu, Aug 13, 2015 at 1:20 PM, Eric Wittmann < eric.wittmann at redhat.com > wrote: Fadi - we definitely do want to get to the bottom of this, so are happy to do what we can to help. Hopefully Marc's version of the OAuth2 plugin will help generate some information we can use to track down the problem. Can you please open a JIRA for this issue? And please include as much information as you can, for example: * Version of apiman * Version of OAuth2 plugin * Setup/configuration (example: is Keycloak on a separate server?) * Any other environmental information you think might be relevant Having a JIRA issue will help us keep track of our progress on this issue. -Eric On 8/13/2015 11:52 AM, Fadi Abdin wrote: Marc / Eric, Thank you for your help in the past , i really appreciate it . but my issue did not get resolved yet . My Application is really simple , i get a token from keycloak and use that token call API MAN services . When the application is fresh installed , this problem does not happened often , but once many users using it and over time , it will start rejecting tokens with the "Token is not active" message . for example if my service is on https://myserver.com/api-gateway/myservice i pass a token like with an access_token parameter https://myserver.com/api-gateway/myservice?access_token= some time it return a value and some times not . i'm always using a new browser , so its not the cashing. The only way to solve the issue is to restart keycloak/apiman , seems they back in sync . It started a small problem with dev , but now its expanding because our product with the QA people and this escalating .. Is there a way you guys can help us a little more ? is there a paid support ? Thanks, On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy < marc.savy at redhat.com >> wrote: I think this may pertain to the Keycloak OAuth2 token. In which case, I provided Fadi with a version containing additional logging to see if we could track the issue down. It's not an issue I've ever been able to replicate, and we don't fiddle with the token data in any way, so I don't really see how we could affect things. My only suggestions are to ensure that time is accurate on all of the systems (NTP, Chronyd, etc), and I believe this has already been done. On 10/08/2015 18:00, Eric Wittmann wrote: How often does this occur? What is the result? I assume this is triggering a re-login in the UI? There is no caching on the apiman side. However the tokens issued by keycloak to the apiman UI do have an expiration. You could try logging into the keycloak auth admin UI and increasing the lifespan of the tokens. Any more details you can provide would be great. -Eric On 8/10/2015 8:56 AM, Fadi Abdin wrote: I keep getting occasional "Token is not active." on they keycloak side occasionally . its really frustrating , i cant figure out what could cause this to happen. everything seems correct. Is there caching between API Man and Keycloak i can turn off ? Have anyone seeen this behavior ? Thanks, Fadi Express.com _______________________________________________ Apiman-user mailing list Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user _______________________________________________ Apiman-user mailing list Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user _______________________________________________ Apiman-user mailing list Apiman-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/apiman-user From cmoulliard at redhat.com Mon Aug 17 02:10:49 2015 From: cmoulliard at redhat.com (Charles Moulliard) Date: Mon, 17 Aug 2015 08:10:49 +0200 Subject: [Apiman-user] Announcement: apiman 1.1.6.Final released In-Reply-To: <55CE4054.10501@redhat.com> References: <55CE4054.10501@redhat.com> Message-ID: <55D17AE9.1050205@redhat.com> Excellent & great news. On 14/08/15 21:24, Eric Wittmann wrote: > What's new in this release? > > * Quota policy (# of requests) > * Transfer quota policy (# of bytes) > * URL Rewriting policy > * Caching policy (use with care) > * Tech Preview: Vert.x 3 Gateway Impl (you'll need to build this > yourself to try it!) > * Application Metrics > * (Optional) Send the Service Version in an HTTP Header instead of in > the managed endpoint path > > Of course we fixed a bunch of bugs too! > > Have a look at the release notes: > > https://issues.jboss.org/secure/ReleaseNote.jspa?projectId=12314121&version=12327699 > > Or as always go to the project site: > > http://www.apiman.io/ > > -Eric > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user From marc.savy at redhat.com Mon Aug 17 07:15:19 2015 From: marc.savy at redhat.com (Marc Savy) Date: Mon, 17 Aug 2015 12:15:19 +0100 Subject: [Apiman-user] Token is not active. In-Reply-To: References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CCD1CE.9010705@redhat.com> <55CE1282.9090605@redhat.com> Message-ID: <55D1C247.8010506@redhat.com> Also, please provide feedback in the JIRA ticket, if you can - https://issues.jboss.org/browse/APIMAN-623 You haven't provided enough detail for us to reconstruct your problem (with regards to using query parameters). On 14/08/2015 21:08, Fadi Abdin wrote: > I was only able to see the problem on the string parameter , but not the > bearer token when i use curl. that might do the trick for me after all > the struggle. > > I'm having another problem with Bearer Token and CORS , thats why i'm > not using it and it works fine with the parameter .. I'll open another > case for this > > On Fri, Aug 14, 2015 at 12:08 PM, Marc Savy > wrote: > > Hi Fadi, > > Will be happy to investigate. Could you try another test for me, please? > > Instead of setting the query parameter access_token, can you please > instead use the Authorization header? This is a bit more resistant > to some weirder forms of caching that might be going on in your > pipeline. > > Authorization: Bearer > > Do *not* set the access_token query param. > > In cURL you can do this by putting: > > curl -v -H "Authorization: Bearer " > > Regards, > Marc > > On 14/08/2015 16:47, Fadi Abdin wrote: > > I'm FINALLY ready to write a jira ticket , i think i'm able to > identify > the what is happening > > The logs coming in the policy prints the token information, I was > surprised to find that sometimes the token being sent is NOT the > correct > token I sent to APIMan, > > Example, If I hit a service with a token A , it prints the token B . > Token A is my token which is valid and i just got it , But token > B is > NOT even mine and is expired from yesterday. > > And this make sense to work after a restart , because it flushes > all the > tokens and start fresh. > > If there is a quick way to fix it , flush the tokens or whatever > please > let me know . > I'm going to file a jira ticket , but i need things to work asap > because > we are in QA now and going to production soon. > > > > On Thu, Aug 13, 2015 at 1:20 PM, Eric Wittmann > > >> wrote: > > Fadi - we definitely do want to get to the bottom of this, > so are > happy to do what we can to help. > > Hopefully Marc's version of the OAuth2 plugin will help > generate > some information we can use to track down the problem. > > Can you please open a JIRA for this issue? And please > include as > much information as you can, for example: > > * Version of apiman > * Version of OAuth2 plugin > * Setup/configuration (example: is Keycloak on a separate > server?) > * Any other environmental information you think might be > relevant > > Having a JIRA issue will help us keep track of our progress > on this > issue. > > -Eric > > On 8/13/2015 11:52 AM, Fadi Abdin wrote: > > Marc / Eric, > > Thank you for your help in the past , i really > appreciate it . > but my > issue did not get resolved yet . > > My Application is really simple , i get a token from > keycloak > and use > that token call API MAN services . > > When the application is fresh installed , this problem > does not > happened > often , but once many users using it and over time , it > will start > rejecting tokens with the "Token is not active" message . > > for example if my service is on > https://myserver.com/api-gateway/myservice i pass a token like > with an > access_token parameter > > https://myserver.com/api-gateway/myservice?access_token= value> > some time it return a value and some times not . i'm always > using a new > browser , so its not the cashing. > > The only way to solve the issue is to restart > keycloak/apiman , > seems > they back in sync . > > It started a small problem with dev , but now its expanding > because our > product with the QA people and this escalating .. Is > there a way you > guys can help us a little more ? is there a paid support ? > > Thanks, > > > > On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy > > > > >>> wrote: > > I think this may pertain to the Keycloak OAuth2 > token. In > which case, I > provided Fadi with a version containing additional > logging > to see if we > could track the issue down. > > It's not an issue I've ever been able to > replicate, and we > don't fiddle > with the token data in any way, so I don't really > see how > we could > affect things. > > My only suggestions are to ensure that time is > accurate on > all of the > systems (NTP, Chronyd, etc), and I believe this > has already > been done. > > > On 10/08/2015 18:00, Eric Wittmann wrote: > > How often does this occur? What is the result? > > I assume this is triggering a re-login in the UI? > > There is no caching on the apiman side. > However the tokens > issued by > keycloak to the apiman UI do have an > expiration. You > could try > logging > into the keycloak auth admin UI and increasing the > lifespan of > the tokens. > > Any more details you can provide would be great. > > -Eric > > On 8/10/2015 8:56 AM, Fadi Abdin wrote: > > I keep getting occasional "Token is not > active." on > they > keycloak side > occasionally . its really frustrating , i cant > figure out > what could > cause this to happen. everything seems > correct. > > Is there caching between API Man and > Keycloak i can > turn off > ? Have > anyone seeen this behavior ? > > Thanks, > Fadi > Express.com > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org >

> >

>> > https://lists.jboss.org/mailman/listinfo/apiman-user > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org >

> >

>> > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > > > From fadiabdeen at gmail.com Mon Aug 17 08:57:17 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Mon, 17 Aug 2015 08:57:17 -0400 Subject: [Apiman-user] Token is not active. In-Reply-To: <55D1C247.8010506@redhat.com> References: <55C8D8C6.8020203@redhat.com> <55C9AF70.2030501@redhat.com> <55CCD1CE.9010705@redhat.com> <55CE1282.9090605@redhat.com> <55D1C247.8010506@redhat.com> Message-ID: Ok. I'm also going to comment on the CORS Jira https://issues.jboss.org/browse/APIMAN-516 . this might not be the same issue i see. On Mon, Aug 17, 2015 at 7:15 AM, Marc Savy wrote: > Also, please provide feedback in the JIRA ticket, if you can - > https://issues.jboss.org/browse/APIMAN-623 > > You haven't provided enough detail for us to reconstruct your problem > (with regards to using query parameters). > > On 14/08/2015 21:08, Fadi Abdin wrote: > >> I was only able to see the problem on the string parameter , but not the >> bearer token when i use curl. that might do the trick for me after all >> the struggle. >> >> I'm having another problem with Bearer Token and CORS , thats why i'm >> not using it and it works fine with the parameter .. I'll open another >> case for this >> >> On Fri, Aug 14, 2015 at 12:08 PM, Marc Savy > > wrote: >> >> Hi Fadi, >> >> Will be happy to investigate. Could you try another test for me, >> please? >> >> Instead of setting the query parameter access_token, can you please >> instead use the Authorization header? This is a bit more resistant >> to some weirder forms of caching that might be going on in your >> pipeline. >> >> Authorization: Bearer >> >> Do *not* set the access_token query param. >> >> In cURL you can do this by putting: >> >> curl -v -H "Authorization: Bearer " >> >> Regards, >> Marc >> >> On 14/08/2015 16:47, Fadi Abdin wrote: >> >> I'm FINALLY ready to write a jira ticket , i think i'm able to >> identify >> the what is happening >> >> The logs coming in the policy prints the token information, I was >> surprised to find that sometimes the token being sent is NOT the >> correct >> token I sent to APIMan, >> >> Example, If I hit a service with a token A , it prints the token >> B . >> Token A is my token which is valid and i just got it , But token >> B is >> NOT even mine and is expired from yesterday. >> >> And this make sense to work after a restart , because it flushes >> all the >> tokens and start fresh. >> >> If there is a quick way to fix it , flush the tokens or whatever >> please >> let me know . >> I'm going to file a jira ticket , but i need things to work asap >> because >> we are in QA now and going to production soon. >> >> >> >> On Thu, Aug 13, 2015 at 1:20 PM, Eric Wittmann >> >> > >> >> wrote: >> >> Fadi - we definitely do want to get to the bottom of this, >> so are >> happy to do what we can to help. >> >> Hopefully Marc's version of the OAuth2 plugin will help >> generate >> some information we can use to track down the problem. >> >> Can you please open a JIRA for this issue? And please >> include as >> much information as you can, for example: >> >> * Version of apiman >> * Version of OAuth2 plugin >> * Setup/configuration (example: is Keycloak on a separate >> server?) >> * Any other environmental information you think might be >> relevant >> >> Having a JIRA issue will help us keep track of our progress >> on this >> issue. >> >> -Eric >> >> On 8/13/2015 11:52 AM, Fadi Abdin wrote: >> >> Marc / Eric, >> >> Thank you for your help in the past , i really >> appreciate it . >> but my >> issue did not get resolved yet . >> >> My Application is really simple , i get a token from >> keycloak >> and use >> that token call API MAN services . >> >> When the application is fresh installed , this problem >> does not >> happened >> often , but once many users using it and over time , it >> will start >> rejecting tokens with the "Token is not active" message . >> >> for example if my service is on >> https://myserver.com/api-gateway/myservice i pass a token like >> with an >> access_token parameter >> >> https://myserver.com/api-gateway/myservice?access_token=> value> >> some time it return a value and some times not . i'm >> always >> using a new >> browser , so its not the cashing. >> >> The only way to solve the issue is to restart >> keycloak/apiman , >> seems >> they back in sync . >> >> It started a small problem with dev , but now its >> expanding >> because our >> product with the QA people and this escalating .. Is >> there a way you >> guys can help us a little more ? is there a paid support >> ? >> >> Thanks, >> >> >> >> On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy >> >> > marc.savy at redhat.com>> >> > > >>> wrote: >> >> I think this may pertain to the Keycloak OAuth2 >> token. In >> which case, I >> provided Fadi with a version containing additional >> logging >> to see if we >> could track the issue down. >> >> It's not an issue I've ever been able to >> replicate, and we >> don't fiddle >> with the token data in any way, so I don't really >> see how >> we could >> affect things. >> >> My only suggestions are to ensure that time is >> accurate on >> all of the >> systems (NTP, Chronyd, etc), and I believe this >> has already >> been done. >> >> >> On 10/08/2015 18:00, Eric Wittmann wrote: >> >> How often does this occur? What is the result? >> >> I assume this is triggering a re-login in the >> UI? >> >> There is no caching on the apiman side. >> However the tokens >> issued by >> keycloak to the apiman UI do have an >> expiration. You >> could try >> logging >> into the keycloak auth admin UI and increasing >> the >> lifespan of >> the tokens. >> >> Any more details you can provide would be great. >> >> -Eric >> >> On 8/10/2015 8:56 AM, Fadi Abdin wrote: >> >> I keep getting occasional "Token is not >> active." on >> they >> keycloak side >> occasionally . its really frustrating , i >> cant >> figure out >> what could >> cause this to happen. everything seems >> correct. >> >> Is there caching between API Man and >> Keycloak i can >> turn off >> ? Have >> anyone seeen this behavior ? >> >> Thanks, >> Fadi >> Express.com >> >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> > > >> > >> > >> >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> > > >> > >> > >> >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150817/4e524171/attachment-0001.html From fadiabdeen at gmail.com Mon Aug 17 10:44:43 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Mon, 17 Aug 2015 10:44:43 -0400 Subject: [Apiman-user] CORS Message-ID: I have a problem in calling a service in apiman-gateway with the Authorization: Bearer in the header. It seems to preflight OPTIONS and return 1. X-Policy-Failure-Message: OAuth2 'Authorization' header or 'access_token' query parameter must be provided. I am sending the bearer token with the request and i make sure in the preflight its sent in the request. 1. Access-Control-Request-Headers: accept, authorization Does anyone know if there Is something i'm missing ? do i need to get authorization enabled or added anywhere ? as a side note i have below in my api as well: response.setHeader("Access-Control-Allow-Headers", "Authorization"); -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150817/74821f71/attachment.html From eric.wittmann at redhat.com Mon Aug 17 10:51:51 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Mon, 17 Aug 2015 10:51:51 -0400 Subject: [Apiman-user] Note: DDL problems with apiman 1.1.6.Final Message-ID: <55D1F507.90609@redhat.com> Hey everyone. There are a couple minor DDL problems (primarily in the postgres DDL) which snuck into version 1.1.6.Final. I will fix these and get them committed to git so you can pull them down. The ones that come with the 1.1.6.Final distribution will not work without some tweaks. FYI! -Eric From marc.savy at redhat.com Mon Aug 17 10:52:08 2015 From: marc.savy at redhat.com (Marc Savy) Date: Mon, 17 Aug 2015 15:52:08 +0100 Subject: [Apiman-user] CORS In-Reply-To: References: Message-ID: <55D1F518.2080804@redhat.com> Hi, This is related to the JIRA I linked you to (https://issues.jboss.org/browse/APIMAN-516). Because of the way the policy chain currently works the behaviour of CORS is invalid in a few very specific cases (e.g. when you stack it with an auth policy). I'll let you know when it's fixed. Regards, Marc On 17/08/2015 15:44, Fadi Abdin wrote: > I have a problem in calling a service in apiman-gateway with the > Authorization: Bearer in the header. > > It seems to preflight OPTIONS and return > > 1. > X-Policy-Failure-Message: > OAuth2 'Authorization' header or 'access_token' query parameter must > be provided. > > I am sending the bearer token with the request and i make sure in the > preflight its sent in the request. > > 1. > Access-Control-Request-Headers: > accept, authorization > > Does anyone know if there Is something i'm missing ? do i need to get > authorization enabled or added anywhere ? as a side note i have below in > my api as well: > > response.setHeader("Access-Control-Allow-Headers", "Authorization"); > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From fadiabdeen at gmail.com Mon Aug 17 11:23:07 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Mon, 17 Aug 2015 11:23:07 -0400 Subject: [Apiman-user] CORS In-Reply-To: <55D1F518.2080804@redhat.com> References: <55D1F518.2080804@redhat.com> Message-ID: Thank you Marc, Is there a work around that you can think of ? I'm doing it with angularjs , very simple $http({method: 'GET', url: 'http://server/apiman-gateway/service', headers: { 'Authorization': 'Bearer XXXXXXXXXXXXX'} }); I assume you will fix it in the new version , right? On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy wrote: > Hi, > > This is related to the JIRA I linked you to ( > https://issues.jboss.org/browse/APIMAN-516). Because of the way the > policy chain currently works the behaviour of CORS is invalid in a few very > specific cases (e.g. when you stack it with an auth policy). I'll let you > know when it's fixed. > > Regards, > Marc > > On 17/08/2015 15:44, Fadi Abdin wrote: > >> I have a problem in calling a service in apiman-gateway with the >> Authorization: Bearer in the header. >> >> It seems to preflight OPTIONS and return >> >> 1. >> X-Policy-Failure-Message: >> OAuth2 'Authorization' header or 'access_token' query parameter must >> be provided. >> >> I am sending the bearer token with the request and i make sure in the >> preflight its sent in the request. >> >> 1. >> Access-Control-Request-Headers: >> accept, authorization >> >> Does anyone know if there Is something i'm missing ? do i need to get >> authorization enabled or added anywhere ? as a side note i have below in >> my api as well: >> >> response.setHeader("Access-Control-Allow-Headers", "Authorization"); >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150817/a01a1fa9/attachment.html From marc.savy at redhat.com Mon Aug 17 11:37:17 2015 From: marc.savy at redhat.com (Marc Savy) Date: Mon, 17 Aug 2015 16:37:17 +0100 Subject: [Apiman-user] CORS In-Reply-To: References: <55D1F518.2080804@redhat.com> Message-ID: <55D1FFAD.3000201@redhat.com> I'm actually testing the fix right now. It will land both on the 1.2.x branch and the 1.1.x branch shortly. You should be able to test it out in a short while: I'll send you an email when it's available. On 17/08/2015 16:23, Fadi Abdin wrote: > Thank you Marc, > Is there a work around that you can think of ? > I'm doing it with angularjs , very simple > > $http({method: 'GET', url: 'http://server/apiman-gateway/service', > headers: { > 'Authorization': 'Bearer XXXXXXXXXXXXX'} > }); > > I assume you will fix it in the new version , right? > > > > On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy > wrote: > > Hi, > > This is related to the JIRA I linked you to > (https://issues.jboss.org/browse/APIMAN-516). Because of the way the > policy chain currently works the behaviour of CORS is invalid in a > few very specific cases (e.g. when you stack it with an auth > policy). I'll let you know when it's fixed. > > Regards, > Marc > > On 17/08/2015 15:44, Fadi Abdin wrote: > > I have a problem in calling a service in apiman-gateway with the > Authorization: Bearer in the header. > > It seems to preflight OPTIONS and return > > 1. > X-Policy-Failure-Message: > OAuth2 'Authorization' header or 'access_token' query > parameter must > be provided. > > I am sending the bearer token with the request and i make sure > in the > preflight its sent in the request. > > 1. > Access-Control-Request-Headers: > accept, authorization > > Does anyone know if there Is something i'm missing ? do i need > to get > authorization enabled or added anywhere ? as a side note i have > below in > my api as well: > > response.setHeader("Access-Control-Allow-Headers", "Authorization"); > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > > > From fadiabdeen at gmail.com Mon Aug 17 11:38:54 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Mon, 17 Aug 2015 11:38:54 -0400 Subject: [Apiman-user] CORS In-Reply-To: <55D1FFAD.3000201@redhat.com> References: <55D1F518.2080804@redhat.com> <55D1FFAD.3000201@redhat.com> Message-ID: cool .. you're the man ;) On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy wrote: > I'm actually testing the fix right now. It will land both on the 1.2.x > branch and the 1.1.x branch shortly. You should be able to test it out > in a short while: I'll send you an email when it's available. > > On 17/08/2015 16:23, Fadi Abdin wrote: > >> Thank you Marc, >> Is there a work around that you can think of ? >> I'm doing it with angularjs , very simple >> >> $http({method: 'GET', url: 'http://server/apiman-gateway/service', >> headers: { >> 'Authorization': 'Bearer XXXXXXXXXXXXX'} >> }); >> >> I assume you will fix it in the new version , right? >> >> >> >> On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy > > wrote: >> >> Hi, >> >> This is related to the JIRA I linked you to >> (https://issues.jboss.org/browse/APIMAN-516). Because of the way the >> policy chain currently works the behaviour of CORS is invalid in a >> few very specific cases (e.g. when you stack it with an auth >> policy). I'll let you know when it's fixed. >> >> Regards, >> Marc >> >> On 17/08/2015 15:44, Fadi Abdin wrote: >> >> I have a problem in calling a service in apiman-gateway with the >> Authorization: Bearer in the header. >> >> It seems to preflight OPTIONS and return >> >> 1. >> X-Policy-Failure-Message: >> OAuth2 'Authorization' header or 'access_token' query >> parameter must >> be provided. >> >> I am sending the bearer token with the request and i make sure >> in the >> preflight its sent in the request. >> >> 1. >> Access-Control-Request-Headers: >> accept, authorization >> >> Does anyone know if there Is something i'm missing ? do i need >> to get >> authorization enabled or added anywhere ? as a side note i have >> below in >> my api as well: >> >> response.setHeader("Access-Control-Allow-Headers", >> "Authorization"); >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150817/4530fd58/attachment-0001.html From eric.wittmann at redhat.com Mon Aug 17 12:24:14 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Mon, 17 Aug 2015 12:24:14 -0400 Subject: [Apiman-user] CORS In-Reply-To: References: <55D1F518.2080804@redhat.com> <55D1FFAD.3000201@redhat.com> Message-ID: <55D20AAE.6000002@redhat.com> +1 On 8/17/2015 11:38 AM, Fadi Abdin wrote: > cool .. you're the man ;) > > > On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy > wrote: > > I'm actually testing the fix right now. It will land both on the 1.2.x > branch and the 1.1.x branch shortly. You should be able to test it out > in a short while: I'll send you an email when it's available. > > On 17/08/2015 16:23, Fadi Abdin wrote: > > Thank you Marc, > Is there a work around that you can think of ? > I'm doing it with angularjs , very simple > > $http({method: 'GET', url: 'http://server/apiman-gateway/service', > headers: { > 'Authorization': 'Bearer XXXXXXXXXXXXX'} > }); > > I assume you will fix it in the new version , right? > > > > On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy > > >> wrote: > > Hi, > > This is related to the JIRA I linked you to > (https://issues.jboss.org/browse/APIMAN-516). Because of > the way the > policy chain currently works the behaviour of CORS is > invalid in a > few very specific cases (e.g. when you stack it with an auth > policy). I'll let you know when it's fixed. > > Regards, > Marc > > On 17/08/2015 15:44, Fadi Abdin wrote: > > I have a problem in calling a service in apiman-gateway > with the > Authorization: Bearer in the header. > > It seems to preflight OPTIONS and return > > 1. > X-Policy-Failure-Message: > OAuth2 'Authorization' header or 'access_token' query > parameter must > be provided. > > I am sending the bearer token with the request and i > make sure > in the > preflight its sent in the request. > > 1. > Access-Control-Request-Headers: > accept, authorization > > Does anyone know if there Is something i'm missing ? > do i need > to get > authorization enabled or added anywhere ? as a side > note i have > below in > my api as well: > > response.setHeader("Access-Control-Allow-Headers", > "Authorization"); > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org >

> > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From marc.savy at redhat.com Mon Aug 17 13:32:47 2015 From: marc.savy at redhat.com (Marc Savy) Date: Mon, 17 Aug 2015 18:32:47 +0100 Subject: [Apiman-user] CORS In-Reply-To: References: <55D1F518.2080804@redhat.com> <55D1FFAD.3000201@redhat.com> Message-ID: <55D21ABF.6050901@redhat.com> Hi Fadi, Please feel free to try this out - you'll be building 1.1.7-SNAPSHOT of apiman/apiman and apiman/apiman-plugins. apiman: git fetch origin pull/180/head:fix-cors git checkout fix-cors mvn clean install apiman-plugins: git fetch origin pull/26/head:fix-cors git checkout fix-cors mvn clean install Make sure you build them in the order shown above and use 1.1.7-SNAPSHOT of the CORS plugin. This is using a snapshot from my PRs, so please don't forget about it later, otherwise you'll be stuck on an old version! Regards, Marc On 17/08/2015 16:38, Fadi Abdin wrote: > cool .. you're the man ;) > > > On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy > wrote: > > I'm actually testing the fix right now. It will land both on the 1.2.x > branch and the 1.1.x branch shortly. You should be able to test it out > in a short while: I'll send you an email when it's available. > > On 17/08/2015 16:23, Fadi Abdin wrote: > > Thank you Marc, > Is there a work around that you can think of ? > I'm doing it with angularjs , very simple > > $http({method: 'GET', url: 'http://server/apiman-gateway/service', > headers: { > 'Authorization': 'Bearer XXXXXXXXXXXXX'} > }); > > I assume you will fix it in the new version , right? > > > > On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy > > >> wrote: > > Hi, > > This is related to the JIRA I linked you to > (https://issues.jboss.org/browse/APIMAN-516). Because of > the way the > policy chain currently works the behaviour of CORS is > invalid in a > few very specific cases (e.g. when you stack it with an auth > policy). I'll let you know when it's fixed. > > Regards, > Marc > > On 17/08/2015 15:44, Fadi Abdin wrote: > > I have a problem in calling a service in apiman-gateway > with the > Authorization: Bearer in the header. > > It seems to preflight OPTIONS and return > > 1. > X-Policy-Failure-Message: > OAuth2 'Authorization' header or 'access_token' query > parameter must > be provided. > > I am sending the bearer token with the request and i > make sure > in the > preflight its sent in the request. > > 1. > Access-Control-Request-Headers: > accept, authorization > > Does anyone know if there Is something i'm missing ? > do i need > to get > authorization enabled or added anywhere ? as a side > note i have > below in > my api as well: > > response.setHeader("Access-Control-Allow-Headers", > "Authorization"); > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org >

> > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > > From eric.wittmann at redhat.com Mon Aug 17 14:02:43 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Mon, 17 Aug 2015 14:02:43 -0400 Subject: [Apiman-user] CORS In-Reply-To: <55D21ABF.6050901@redhat.com> References: <55D1F518.2080804@redhat.com> <55D1FFAD.3000201@redhat.com> <55D21ABF.6050901@redhat.com> Message-ID: <55D221C3.2010507@redhat.com> Or if you can wait for 30 minutes you can do all this from 'master' or from the '1.1.x' branch. :) -Eric On 8/17/2015 1:32 PM, Marc Savy wrote: > Hi Fadi, > > Please feel free to try this out - you'll be building 1.1.7-SNAPSHOT > of apiman/apiman and apiman/apiman-plugins. > > apiman: > > git fetch origin pull/180/head:fix-cors > git checkout fix-cors > mvn clean install > > apiman-plugins: > > git fetch origin pull/26/head:fix-cors > git checkout fix-cors > mvn clean install > > Make sure you build them in the order shown above and use 1.1.7-SNAPSHOT > of the CORS plugin. > > This is using a snapshot from my PRs, so please don't forget about it > later, otherwise you'll be stuck on an old version! > > Regards, > Marc > > On 17/08/2015 16:38, Fadi Abdin wrote: >> cool .. you're the man ;) >> >> >> On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy > > wrote: >> >> I'm actually testing the fix right now. It will land both on the 1.2.x >> branch and the 1.1.x branch shortly. You should be able to test it out >> in a short while: I'll send you an email when it's available. >> >> On 17/08/2015 16:23, Fadi Abdin wrote: >> >> Thank you Marc, >> Is there a work around that you can think of ? >> I'm doing it with angularjs , very simple >> >> $http({method: 'GET', url: 'http://server/apiman-gateway/service', >> headers: { >> 'Authorization': 'Bearer XXXXXXXXXXXXX'} >> }); >> >> I assume you will fix it in the new version , right? >> >> >> >> On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy >> >> >> wrote: >> >> Hi, >> >> This is related to the JIRA I linked you to >> (https://issues.jboss.org/browse/APIMAN-516). Because of >> the way the >> policy chain currently works the behaviour of CORS is >> invalid in a >> few very specific cases (e.g. when you stack it with an auth >> policy). I'll let you know when it's fixed. >> >> Regards, >> Marc >> >> On 17/08/2015 15:44, Fadi Abdin wrote: >> >> I have a problem in calling a service in apiman-gateway >> with the >> Authorization: Bearer in the header. >> >> It seems to preflight OPTIONS and return >> >> 1. >> X-Policy-Failure-Message: >> OAuth2 'Authorization' header or 'access_token' query >> parameter must >> be provided. >> >> I am sending the bearer token with the request and i >> make sure >> in the >> preflight its sent in the request. >> >> 1. >> Access-Control-Request-Headers: >> accept, authorization >> >> Does anyone know if there Is something i'm missing ? >> do i need >> to get >> authorization enabled or added anywhere ? as a side >> note i have >> below in >> my api as well: >> >> response.setHeader("Access-Control-Allow-Headers", >> "Authorization"); >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> > > >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> >> > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From fadiabdeen at gmail.com Mon Aug 17 14:11:18 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Mon, 17 Aug 2015 14:11:18 -0400 Subject: [Apiman-user] CORS In-Reply-To: <55D221C3.2010507@redhat.com> References: <55D1F518.2080804@redhat.com> <55D1FFAD.3000201@redhat.com> <55D21ABF.6050901@redhat.com> <55D221C3.2010507@redhat.com> Message-ID: yeah i can wait. The way i run apiman is by downloading wildfly and the apiman-overlay zip files and then unzip and run .. Do you have instructions somewhere to update with a new version by building the code ? i can mvn install and drop the files , but i dont think this is enough , is it ? On Mon, Aug 17, 2015 at 2:02 PM, Eric Wittmann wrote: > Or if you can wait for 30 minutes you can do all this from 'master' or > from the '1.1.x' branch. :) > > -Eric > > > On 8/17/2015 1:32 PM, Marc Savy wrote: > >> Hi Fadi, >> >> Please feel free to try this out - you'll be building 1.1.7-SNAPSHOT >> of apiman/apiman and apiman/apiman-plugins. >> >> apiman: >> >> git fetch origin pull/180/head:fix-cors >> git checkout fix-cors >> mvn clean install >> >> apiman-plugins: >> >> git fetch origin pull/26/head:fix-cors >> git checkout fix-cors >> mvn clean install >> >> Make sure you build them in the order shown above and use 1.1.7-SNAPSHOT >> of the CORS plugin. >> >> This is using a snapshot from my PRs, so please don't forget about it >> later, otherwise you'll be stuck on an old version! >> >> Regards, >> Marc >> >> On 17/08/2015 16:38, Fadi Abdin wrote: >> >>> cool .. you're the man ;) >>> >>> >>> On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy >> > wrote: >>> >>> I'm actually testing the fix right now. It will land both on the >>> 1.2.x >>> branch and the 1.1.x branch shortly. You should be able to test it >>> out >>> in a short while: I'll send you an email when it's available. >>> >>> On 17/08/2015 16:23, Fadi Abdin wrote: >>> >>> Thank you Marc, >>> Is there a work around that you can think of ? >>> I'm doing it with angularjs , very simple >>> >>> $http({method: 'GET', url: ' >>> http://server/apiman-gateway/service', >>> headers: { >>> 'Authorization': 'Bearer XXXXXXXXXXXXX'} >>> }); >>> >>> I assume you will fix it in the new version , right? >>> >>> >>> >>> On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy >>> >>> >> >>> wrote: >>> >>> Hi, >>> >>> This is related to the JIRA I linked you to >>> (https://issues.jboss.org/browse/APIMAN-516). Because of >>> the way the >>> policy chain currently works the behaviour of CORS is >>> invalid in a >>> few very specific cases (e.g. when you stack it with an >>> auth >>> policy). I'll let you know when it's fixed. >>> >>> Regards, >>> Marc >>> >>> On 17/08/2015 15:44, Fadi Abdin wrote: >>> >>> I have a problem in calling a service in apiman-gateway >>> with the >>> Authorization: Bearer in the header. >>> >>> It seems to preflight OPTIONS and return >>> >>> 1. >>> X-Policy-Failure-Message: >>> OAuth2 'Authorization' header or 'access_token' >>> query >>> parameter must >>> be provided. >>> >>> I am sending the bearer token with the request and i >>> make sure >>> in the >>> preflight its sent in the request. >>> >>> 1. >>> Access-Control-Request-Headers: >>> accept, authorization >>> >>> Does anyone know if there Is something i'm missing ? >>> do i need >>> to get >>> authorization enabled or added anywhere ? as a side >>> note i have >>> below in >>> my api as well: >>> >>> response.setHeader("Access-Control-Allow-Headers", >>> "Authorization"); >>> >>> >>> _______________________________________________ >>> Apiman-user mailing list >>> Apiman-user at lists.jboss.org >> > >>> >> > >>> https://lists.jboss.org/mailman/listinfo/apiman-user >>> >>> >>> >>> >>> >>> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150817/36f6e67f/attachment-0001.html From eric.wittmann at redhat.com Mon Aug 17 14:47:34 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Mon, 17 Aug 2015 14:47:34 -0400 Subject: [Apiman-user] CORS In-Reply-To: References: <55D1F518.2080804@redhat.com> <55D1FFAD.3000201@redhat.com> <55D21ABF.6050901@redhat.com> <55D221C3.2010507@redhat.com> Message-ID: <55D22C46.8060208@redhat.com> If you build apiman from source using maven, the same ZIP file you've been using via the download mechanism will be created. For example: git clone git at github.com:apiman/apiman.git cd apiman git checkout 1.1.x mvn clean install -DskipTests ls -al distro/wildfly8/target/apiman-distro-wildfly8-1.2.0-SNAPSHOT-overlay.zip That file should now exist - you can copy it off somewhere and use it just like the one you normally download. For the plugin, you simply need to check out the code and build it. Then you can add the plugin via the UI as normal. Example: git clone git at github.com:apiman/apiman-plugins.git cd apiman-plugins mvn clean install Then use the UI to install it. -Eric On 8/17/2015 2:11 PM, Fadi Abdin wrote: > yeah i can wait. > > The way i run apiman is by downloading wildfly and the apiman-overlay > zip files and then unzip and run .. > > Do you have instructions somewhere to update with a new version by > building the code ? i can mvn install and drop the files , but i dont > think this is enough , is it ? > > On Mon, Aug 17, 2015 at 2:02 PM, Eric Wittmann > wrote: > > Or if you can wait for 30 minutes you can do all this from 'master' > or from the '1.1.x' branch. :) > > -Eric > > > On 8/17/2015 1:32 PM, Marc Savy wrote: > > Hi Fadi, > > Please feel free to try this out - you'll be building 1.1.7-SNAPSHOT > of apiman/apiman and apiman/apiman-plugins. > > apiman: > > git fetch origin pull/180/head:fix-cors > git checkout fix-cors > mvn clean install > > apiman-plugins: > > git fetch origin pull/26/head:fix-cors > git checkout fix-cors > mvn clean install > > Make sure you build them in the order shown above and use > 1.1.7-SNAPSHOT > of the CORS plugin. > > This is using a snapshot from my PRs, so please don't forget > about it > later, otherwise you'll be stuck on an old version! > > Regards, > Marc > > On 17/08/2015 16:38, Fadi Abdin wrote: > > cool .. you're the man ;) > > > On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy > > >> > wrote: > > I'm actually testing the fix right now. It will land > both on the 1.2.x > branch and the 1.1.x branch shortly. You should be > able to test it out > in a short while: I'll send you an email when it's > available. > > On 17/08/2015 16:23, Fadi Abdin wrote: > > Thank you Marc, > Is there a work around that you can think of ? > I'm doing it with angularjs , very simple > > $http({method: 'GET', url: > 'http://server/apiman-gateway/service', > headers: { > 'Authorization': 'Bearer XXXXXXXXXXXXX'} > }); > > I assume you will fix it in the new version , right? > > > > On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy > > > >>> wrote: > > Hi, > > This is related to the JIRA I linked you to > (https://issues.jboss.org/browse/APIMAN-516). > Because of > the way the > policy chain currently works the behaviour of > CORS is > invalid in a > few very specific cases (e.g. when you stack > it with an auth > policy). I'll let you know when it's fixed. > > Regards, > Marc > > On 17/08/2015 15:44, Fadi Abdin wrote: > > I have a problem in calling a service in > apiman-gateway > with the > Authorization: Bearer in the header. > > It seems to preflight OPTIONS and return > > 1. > X-Policy-Failure-Message: > OAuth2 'Authorization' header or > 'access_token' query > parameter must > be provided. > > I am sending the bearer token with the > request and i > make sure > in the > preflight its sent in the request. > > 1. > Access-Control-Request-Headers: > accept, authorization > > Does anyone know if there Is something > i'm missing ? > do i need > to get > authorization enabled or added anywhere ? > as a side > note i have > below in > my api as well: > > > response.setHeader("Access-Control-Allow-Headers", > "Authorization"); > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > >

> >

>> > https://lists.jboss.org/mailman/listinfo/apiman-user > > > > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > > From eric.wittmann at redhat.com Mon Aug 17 14:56:47 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Mon, 17 Aug 2015 14:56:47 -0400 Subject: [Apiman-user] CORS In-Reply-To: <55D22C46.8060208@redhat.com> References: <55D1F518.2080804@redhat.com> <55D1FFAD.3000201@redhat.com> <55D21ABF.6050901@redhat.com> <55D221C3.2010507@redhat.com> <55D22C46.8060208@redhat.com> Message-ID: <55D22E6F.1080901@redhat.com> Correction on my instructions below. Thanks to msavy for pointing this out: git clone git at github.com:apiman/apiman.git cd apiman git checkout 1.1.x mvn clean install -DskipTests ls -al distro/wildfly8/target/apiman-distro-wildfly8-1.1.7-SNAPSHOT-overlay.zip Also don't forget to use 1.1.7-SNAPSHOT when you install the CORS plugin. -Eric On 8/17/2015 2:47 PM, Eric Wittmann wrote: > If you build apiman from source using maven, the same ZIP file you've > been using via the download mechanism will be created. For example: > > git clone git at github.com:apiman/apiman.git > cd apiman > git checkout 1.1.x > mvn clean install -DskipTests > ls -al > distro/wildfly8/target/apiman-distro-wildfly8-1.2.0-SNAPSHOT-overlay.zip > > That file should now exist - you can copy it off somewhere and use it > just like the one you normally download. > > For the plugin, you simply need to check out the code and build it. Then > you can add the plugin via the UI as normal. Example: > > git clone git at github.com:apiman/apiman-plugins.git > cd apiman-plugins > mvn clean install > > Then use the UI to install it. > > -Eric > > On 8/17/2015 2:11 PM, Fadi Abdin wrote: >> yeah i can wait. >> >> The way i run apiman is by downloading wildfly and the apiman-overlay >> zip files and then unzip and run .. >> >> Do you have instructions somewhere to update with a new version by >> building the code ? i can mvn install and drop the files , but i dont >> think this is enough , is it ? >> >> On Mon, Aug 17, 2015 at 2:02 PM, Eric Wittmann > > wrote: >> >> Or if you can wait for 30 minutes you can do all this from 'master' >> or from the '1.1.x' branch. :) >> >> -Eric >> >> >> On 8/17/2015 1:32 PM, Marc Savy wrote: >> >> Hi Fadi, >> >> Please feel free to try this out - you'll be building >> 1.1.7-SNAPSHOT >> of apiman/apiman and apiman/apiman-plugins. >> >> apiman: >> >> git fetch origin pull/180/head:fix-cors >> git checkout fix-cors >> mvn clean install >> >> apiman-plugins: >> >> git fetch origin pull/26/head:fix-cors >> git checkout fix-cors >> mvn clean install >> >> Make sure you build them in the order shown above and use >> 1.1.7-SNAPSHOT >> of the CORS plugin. >> >> This is using a snapshot from my PRs, so please don't forget >> about it >> later, otherwise you'll be stuck on an old version! >> >> Regards, >> Marc >> >> On 17/08/2015 16:38, Fadi Abdin wrote: >> >> cool .. you're the man ;) >> >> >> On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy >> >> >> >> wrote: >> >> I'm actually testing the fix right now. It will land >> both on the 1.2.x >> branch and the 1.1.x branch shortly. You should be >> able to test it out >> in a short while: I'll send you an email when it's >> available. >> >> On 17/08/2015 16:23, Fadi Abdin wrote: >> >> Thank you Marc, >> Is there a work around that you can think of ? >> I'm doing it with angularjs , very simple >> >> $http({method: 'GET', url: >> 'http://server/apiman-gateway/service', >> headers: { >> 'Authorization': 'Bearer XXXXXXXXXXXXX'} >> }); >> >> I assume you will fix it in the new version , >> right? >> >> >> >> On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy >> > > > >> > > >>> wrote: >> >> Hi, >> >> This is related to the JIRA I linked you to >> (https://issues.jboss.org/browse/APIMAN-516). >> Because of >> the way the >> policy chain currently works the behaviour of >> CORS is >> invalid in a >> few very specific cases (e.g. when you stack >> it with an auth >> policy). I'll let you know when it's fixed. >> >> Regards, >> Marc >> >> On 17/08/2015 15:44, Fadi Abdin wrote: >> >> I have a problem in calling a service in >> apiman-gateway >> with the >> Authorization: Bearer in the >> header. >> >> It seems to preflight OPTIONS and return >> >> 1. >> X-Policy-Failure-Message: >> OAuth2 'Authorization' header or >> 'access_token' query >> parameter must >> be provided. >> >> I am sending the bearer token with the >> request and i >> make sure >> in the >> preflight its sent in the request. >> >> 1. >> Access-Control-Request-Headers: >> accept, authorization >> >> Does anyone know if there Is something >> i'm missing ? >> do i need >> to get >> authorization enabled or added anywhere ? >> as a side >> note i have >> below in >> my api as well: >> >> >> response.setHeader("Access-Control-Allow-Headers", >> "Authorization"); >> >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> >> > > >> > >> > >> >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> >> >> >> >> >> _______________________________________________ >> Apiman-user mailing list >> Apiman-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/apiman-user >> >> From fadiabdeen at gmail.com Tue Aug 18 08:13:45 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Tue, 18 Aug 2015 08:13:45 -0400 Subject: [Apiman-user] Upgrade APIMan version Message-ID: Hello, Is there a way to update apiman version without losing keycloak and apiman configuration ? I follow the instructions on http://www.apiman.io/latest/download.html to install apiman , currently i'm on 1.1.3. I have keycloak setup with my custom realm which include LDAP connections and clients setup with their own secrets. For APIMan , i have my custom organization , services and keycloak plugin. I would like to upgrade without losing all this setup . Thanks, Fadi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150818/b6857fb4/attachment.html From eric.wittmann at redhat.com Tue Aug 18 08:27:15 2015 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Tue, 18 Aug 2015 08:27:15 -0400 Subject: [Apiman-user] Upgrade APIMan version In-Reply-To: References: Message-ID: <55D324A3.3020008@redhat.com> As it is still early days for apiman, we haven't worked out a robust upgrade process yet. It's something that is on the roadmap. The good news is that for keycloak the upgrade should be easy - just copy your database over from the old install to the new one. Sadly that won't work for apiman, as the database schema has changed. I'm sorry to say that your best bet is probably to install apiman fresh and then re-create your config either using the UI or the REST interface. In the future we plan on having an Export feature that will export all the apiman config to a file for import into a different server. Such a feature will help a lot for upgrades. -Eric On 8/18/2015 8:13 AM, Fadi Abdin wrote: > Hello, > > Is there a way to update apiman version without losing keycloak and > apiman configuration ? > > I follow the instructions on http://www.apiman.io/latest/download.html > to install apiman , currently i'm on 1.1.3. I have keycloak setup with > my custom realm which include LDAP connections and clients setup with > their own secrets. For APIMan , i have my custom organization , services > and keycloak plugin. > > I would like to upgrade without losing all this setup . > > Thanks, > Fadi > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From fadiabdeen at gmail.com Tue Aug 18 08:32:21 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Tue, 18 Aug 2015 08:32:21 -0400 Subject: [Apiman-user] Upgrade APIMan version In-Reply-To: <55D324A3.3020008@redhat.com> References: