[Apiman-user] Should the apiman-gateway-api client have direct access grants enabled?

[Marc Savy]

I presume you're still using the newer version of Keycloak than our
quickstarts ship with? If you recall, I mentioned you needed to enable
direct grants for the apiman-gateway-api client on newer KCs.

We're going to be moving to a newer version of Keycloak fairly soon, but
perhaps we can document that quirk in the meanwhile. However, I think we
could add the direct grants to our sample realm definition, and it
shouldn't break. I'll test it out now.

On 05/01/2016 22:53, Paul Blair wrote:
> Today I've been having a lot of trouble creating a gateway. When I put
> in the gateway name, description, configuration endpoint and
> configuration endpoint credentials, I kept getting "Authentication to
> the gateway failed. Perhaps check that your credentials are correct."  I
> was able to log in to Keycloak using the apimanager credentials, so I
> know they are correct.
>
> In the Keycloak log I see:
>
>     WARN  [org.keycloak.events] type=LOGIN_ERROR, realmId=apiman,
>     clientId=apiman-gateway-api, *userId=null*, ipAddress=[x.x.x.x],
>     error=not_allowed, grant_type=password,
>     auth_method=oauth_credentials, client_auth_method=client-secret
>
>
> I couldn't figure out why the userId should be null. The apimanager user
> has the apipublisher role, the apiman-gateway-api client has the proper
> valid redirect URI and uses the openid-connect protocol with a
> confidential access type, and the application configurations are using
> the correct client secret.
>
> I was finally able to fix the issue by enabling direct access grants on
> the apiman-gateway-api client.  Should this be part of the default
> configuration for apiman-gateway-api in the apiman-realm.json, file, or
> is there something I'm misssing?
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>