[Apiman-user] Integration with separate Keycloak server?

Sat Jan 2 10:32:13 EST 2016

Hi Marc,

Yes!  Thanks for the workaround.  After your report, I went back and
imported the default 'apiman
<https://raw.githubusercontent.com/apiman/apiman/master/distro/data/src/main/resources/data/apiman-realm.json>'
realm into my Keycloak 1.7 server.  In this case, I was able to login to
/apimanui with no 403 error. Since my production deployment will involve
multiple apps, I had setup APIMan to be secured in our single realm, all
under a single KC Client named 'apiman' with client roles of 'apiuser,
apipublisher, and apiadmin'.  After much trial and error I discovered the
difference in my multi-app setup and the APIMan example realm was the level
of the roles.  In particular, if the apiman roles are declared on the
apiman client itself, then role mapping them to users won't allow login.
However, if the apiman roles are realm-wide roles, then a role mapping
seems to work and users can login.

It's unfortunate that a single application like APIMan should require it's
own realm-wide roles for security, not KC-client level roles.  None of the
other apps that I have secured with Keycloak seem to require more than
KC-client level roles.  So I consider this a defect in Keycloak, likely due
to the use of the old Keycloak adapter in the APIMan 1.1.9 bundle.  I look
forward to an upcoming release of APIMan with updated Keycloak integration.

Best regards,
Guy

On Thu, Dec 31, 2015 at 4:19 AM, Marc Savy <msavy at redhat.com> wrote:

> Hi,
>
> I actually tried this about a week or fortnight ago (see the thread with
> pblair), and I got it working pretty easily.
>
> The only thing I had to change was in the Keycloak console, where I
> enabled 'Direct API Grants' on the apiman gateway api clients (or similar
> wording, I'm on mobile), and everything worked fine despite adaptor version
> mismatches.
>
> Regards,
> Marc
>
> ----- Original Message -----
> From: Guy Davis <guydavis.ca at gmail.com>
> To: Eric Wittmann <eric.wittmann at redhat.com>
> Cc: apiman-user at lists.jboss.org
> Sent: Thu, 31 Dec 2015 01:00:23 -0500 (EST)
> Subject: Re: [Apiman-user] Integration with separate Keycloak server?
>
> Hi Eric,
>
> Thanks for the quick response.  I tried this using a separate Keycloak
> 1.7.0 server and am encountering errors that, after debugging thru the
> Keycloak OAuth flow, seem linked to the use of the earlier version of the
> Keycloak adapter which is bundled with APIMan 1.1.9.  Do you have an
> planned release date for a Keycloak 1.7.0 compatible version of APIMan?
> Continued successful integration between these two projects is a big
> benefit.
>
> If try to use APIMan 1.1.9 with the Keycloak 1.7.0 adapter for Wildfly, I
> encounter a problem in
> io.apiman.manager.ui.server.wildfly8,KeyCloakBearerTokenGenerator where the
> use of:
>
>     org.keycloak.util.Time,getTime()
>
> errors out at runtime with ClassNotFoundException as this class was dropped
> from the Keycloak 1.7.0 API.
>
> Thanks again.
> Guy
>
> On Thu, Dec 17, 2015 at 3:35 PM, Eric Wittmann <eric.wittmann at redhat.com>
> wrote:
>
> > This is absolutely possible.  Have a look through the production guide
> and
> > see if it helps:
> >
> > http://www.apiman.io/latest/production-guide.html
> >
> > If you continue to have issues let us know so that we can update the
> > guide.  We already have at least one update to make:
> >
> > https://issues.jboss.org/browse/APIMAN-842
> >
> > -Eric
> >
> > On 12/17/2015 3:48 PM, Guy Davis wrote:
> >
> >> Good day,
> >>
> >> I currently have a test instance of Wildfly 9 running both Keycloak 1.5
> >> and Apiman 1.1.8.  I'm using Keycloak 1.5 as Apiman makes a Keycloak
> >> getTime() call somewhere that was removed in Keycloak 1.6's adapters.
> >>
> >> So I'm seeing that trying to put Keycloak and Apiman in the same Wildfly
> >> container is probably not a good plan going forward due to
> >> incompatibilities as each project progresses.
> >>
> >> Today, I noticed that Hawkular announced
> >> <
> >>
> http://www.hawkular.org/blog/2015/12/16/hawkular-1.0.0.Alpha8-released.html
> >> >
> >> that they now allow startup of their container with a property pointing
> >> to a remote Keycloak server.
> >>
> >> Is this possible with Apiman today?  If not, is it on the roadmap?  I'd
> >> like to upgrade to Keycloak 1.7
> >> <http://blog.keycloak.org/2015/12/keycloak-170final-released.html>
> >> following
> >> this approach with Keycloak, Apiman, and Hawkular all in their own
> >> containers.
> >>
> >> By the way, I'm really stoked to see the excellent integration and
> >> progress being made by all these projects!  Keep up the good work.
> >>
> >> Thanks,
> >> Guy
> >>
> >>
> >> _______________________________________________
> >> Apiman-user mailing list
> >> Apiman-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/apiman-user
> >>
> >>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160102/98389c84/attachment-0001.html 