[Apiman-user] Apiman & Keycloak
Charles Moulliard
cmoulliard at redhat.com
Wed Sep 2 10:31:13 EDT 2015
Thx for your help. To avoid that the enduser use getpostman, I have
created a bash script to query apiman to get & extract the access_token
ftom HTTP response and next to call my service. Here is the script
https://gist.github.com/cmoulliard/026a1867222dfe7dcfeb
On 02/09/15 12:30, Marc Savy wrote:
> Part of it was that I want to show the steps that would be required
> if/when people are writing their own programs - so, extracting the
> token, adding it to the appropriate header, etc.
>
> However, you do hit on an issue I felt, which is that the blog doesn't
> explore enough of the more realistic setups where client secrets (and
> auth codes, etc) are used instead of username and password.
>
> Perhaps in a future blog I should explore it; however, I'm always wary
> about using a tool that might exclude some of the audience (e.g. people
> who use only Firefox; people who don't want to install an extension). If
> I do it as separate post, rather than modifying the original, then I
> think this could be acceptable.
>
> Thanks for your thoughts, I'll try to integrate something into my next
> postings.
>
> On 01/09/2015 17:34, Rafael Soares wrote:
>> Hi!
>>
>> One nice thing you could add to your post is the use of Postman REST
>> Client App [1] (Chrome addon).
>> Postman offers a way to get an oAuth2 access_token (JWT) and add it to
>> your request. All visually without have to get the access_token using
>> 'curl' or 'httpie' (CLI utilities).
>>
>> See Postman Helpers [2]. I used it for my demos when working with REST
>> endpoints. I managed to get it working with the APIMan/Keycloak oauth2.
>>
>> [1] https://www.getpostman.com/
>> [2] https://www.getpostman.com/docs/helpers
>>
>> ________________________
>> Rafael Torres Coelho Soares
>>
>> On Tue, Sep 1, 2015 at 12:41 PM, Charles Moulliard <cmoullia at redhat.com
>> <mailto:cmoullia at redhat.com>> wrote:
>>
>> Fixed after changing user parameter. I'm able to get an access token
>>
>> So i will be able to take some screenshots now & elaborate the
>> instructions as addon of the excellent apiman & keycloak blog
>> article ;-)
>>
>> Sent from my iPhone
>>
>> > On 1 sept. 2015, at 17:36, Charles Moulliard <cmoullia at redhat.com
>> <mailto:cmoullia at redhat.com>> wrote:
>> >
>> > Works better now. I have also reseted the password to demo and I
>> get an account temporarily disabled
>> >
>> > Sent from my iPhone
>> >
>> >> On 1 sept. 2015, at 17:22, Marc Savy <marc.savy at redhat.com
>> <mailto:marc.savy at redhat.com>> wrote:
>> >>
>> >>
>> http://localhost:8080/auth/admin/master/console/#/realms/demo/login-settings
>> -> 'Direct Grant API' -> ON
>> >>
>> >> Now, curl -X POST
>> http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token
>> -H "Content-Type: application/x-www-form-urlencoded" -d
>> "username=demo" -d 'password=demo' -d 'grant_type=password' -d
>> 'client_id=demo'
>> >>
>> >> Works fine!
>> >>
>> >> As a side-note: I would also point your readers towards the
>> Keycloak docs, as this may not be an optimal setup for their
>> real-world requirements (e.g. they may want redirected
>> login-screens, user registration, SAML, etc, etc).
>> >>
>> >>> On 01/09/2015 15:54, Charles Moulliard wrote:
>> >>>
>> >>> On 01/09/15 11:57, Marc Savy wrote:
>> >>>> I would suggest you refer to the Keycloak documentation, as
>> there are
>> >>>> several ways to skin this particular cat. For instance, how
>> you decide
>> >>>> to set up your Keycloak configuration is highly dependent upon
>> your
>> >>>> specific requirements; whether you want token grants to be
>> via the
>> >>>> API-only, or an HTTP redirect based approach (see:
>> >>>>
>> https://keycloak.github.io/docs/userguide/html/access-types.html); how
>> >>>> you wish to divide up your application; the level of
>> security you
>> >>>> desire; any identity provision sources...
>> >>>>
>> >>>> At any rate, once you have Keycloak going, you would log in
>> and click
>> >>>> on 'create realm' (in my blog demo, that would be
>> >>>>
>> http://localhost:8080/auth/admin/master/console/#/create/realm) -
>> >>>> then, add your client, roles, users, etc.
>> >>>>
>> >>>>> I have created a very basic use case :
>> >>> - realm = demo,
>> >>> - a user = demo and
>> >>> - a client = demo where Direct Grants Only = ON and Access Type
>> = Public
>> >>>
>> >>> but when I issue a request to get the Access Token,
>> >>>
>> >>> curl -X POST
>> >>>
>> http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token -H
>> >>> "Content-Type: application/x-www-form-urlencoded" -d
>> "username=demo" -d
>> >>> 'password=demo' -d 'grant_type=password' -d 'client_id=demo'
>> >>>
>> >>> I get this error -->
>> >>>
>> >>> {"error_description":"Direct Grant REST API not
>> >>> enabled","error":"not_enabled"}
>> >>>
>> >>> Here is the demo.json exported file =
>> >>> https://gist.github.com/cmoulliard/c25fef751886ace8c354
>> >>>
>> >>>
>> >>>> To make your life simple for demo purposes, I suggest your
>> clients be
>> >>>> 'Direct Grants Only' and 'Public'.
>> >>>>
>> >>>> I'm not entirely clear from your email whether you want to
>> script
>> >>>> this, or provide walk-through steps, or provide a pre-baked
>> config
>> >>>> (like the blog).
>> >>>>> I would like to include instructions (= step by step
>> instructions) +
>> >>> screenshots and also a file (= json exported config) for end
>> users not
>> >>> interested to setup Keycloak
>> >>>>
>> >>>> Do you need to use roles and authorization? Or just simple
>> >>>> authentication?
>> >>>>
>> >>>> Regards,
>> >>>> Marc
>> >>>>
>> >>>>
>> >>>>> On 01/09/2015 06:20, Charles Moulliard wrote:
>> >>>>> This blog refers to a link where we will import a pre-defined
>> config
>> >>>>>
>> >>>>> First, log into the Keycloak server. If you’re following our
>> >>>>> walkthrough, the log-in details are identical to those
>> mentioned earlier
>> >>>>> (admin, admin123!). You can see that there is already an
>> apiman realm
>> >>>>> defined, but we’re going to create a new one, so navigate to
>> Add Realm
>> >>>>> (top right), and import and upload "this demonstration realm
>> definition
>> >>>>> -
>> http://www.apiman.io/blog/resources/2015-06-04/stottie.json"; it
>> >>>>> provides an extremely simple setup where we have:
>> >>>>>
>> >>>>> What I would like to explain how we can create this "stottie"
>> config in
>> >>>>> Keycloak (step by step, screenshots)
>> >>>>>
>> >>>>>> On 01/09/15 02:19, Eric Wittmann wrote:
>> >>>>>> +1
>> >>>>>>
>> >>>>>> Thanks for responding, Rafael. I had intended to link this
>> very same
>> >>>>>> tutorial but then it slipped my mind. :)
>> >>>>>>
>> >>>>>>> On 8/31/2015 5:48 PM, Rafael Soares wrote:
>> >>>>>>> Charles,
>> >>>>>>>
>> >>>>>>> Recently I followed the "/Keycloak and dagger:
>> Securing your
>> >>>>> services
>> >>>>>>> with OAuth2/" tutorial [1] and it worked fine! This howto
>> is great!
>> >>>>>>>
>> >>>>>>> You don't need to do anything on the Fuse/Camel side. All
>> setup is
>> >>>>> done
>> >>>>>>> in the ApiMan side. ApiMan comes with a KeyCloak service
>> embedded and
>> >>>>>>> all you need to do is install the Apiman oauth2 keycloak
>> plugin and
>> >>>>>>> configure your service policy to use it. The tutorial [1]
>> >>>>> describes each
>> >>>>>>> step in detail.
>> >>>>>>>
>> >>>>>>> [1]
>> >>>>>
>> http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html
>> >>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> ________________________
>> >>>>>>> Rafael Torres Coelho Soares
>> >>>>>>>
>> >>>>>>> On Mon, Aug 31, 2015 at 2:38 PM, Charles Moulliard
>> >>>>>>> <cmoulliard at redhat.com <mailto:cmoulliard at redhat.com>
>> <mailto:cmoulliard at redhat.com <mailto:cmoulliard at redhat.com>>>
>> wrote:
>> >>>>>>>
>> >>>>>>> Hi,
>> >>>>>>>
>> >>>>>>> I have already asked this question but I need some
>> help to
>> >>>>> figure
>> >>>>>>> out
>> >>>>>>> what are the steps required to setup Oauth 2 with
>> Keycloak as
>> >>>>> I'm
>> >>>>>>> preparing a demo
>> >>>>>>> (https://github.com/FuseByExample/rest-dsl-in-action)
>> >>>>>>> covering the point about how to secure & govern Camel
>> REST DSL
>> >>>>>>> endpoints
>> >>>>>>> on JBoss Fuse using Apiman & Keycloak ?
>> >>>>>>>
>> >>>>>>> I just need the list of the steps to perform from the
>> Web Site.
>> >>>>>>> Base on
>> >>>>>>> the input, I will take some screenshots and include the
>> >>>>> instructions
>> >>>>>>> within the demo content. Such input could be reused to
>> write
>> >>>>> a blog
>> >>>>>>> article too ;-)
>> >>>>>>>
>> >>>>>>> Regards,
>> >>>>>>>
>> >>>>>>> Charles
>> >>>>>>> _______________________________________________
>> >>>>>>> Apiman-user mailing list
>> >>>>>>> Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>
>> <mailto:Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>>
>> >>>>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> Apiman-user mailing list
>> >>>>>>> Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>
>> >>>>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Apiman-user mailing list
>> >>>>> Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>
>> >>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>> >>
>>
>>
>
More information about the Apiman-user
mailing list