[Apiman-user] Should the apiman-gateway-api client have direct access grants enabled?
Marc Savy
marc.savy at redhat.com
Thu Jan 7 06:58:10 EST 2016
I've updated the realm definition. As previously indicated, it seems to
work fine with the version of KC that ships with our quickstart set-ups,
in addition to 'fixing' newer ones.
Paul: if you could try it out that'd be great. It's a tiny change, but
it's one of those areas that could have more impact that initially
anticipated :-).
Check out the PR here - https://github.com/apiman/apiman/pull/318
On 06/01/2016 09:52, Marc Savy wrote:
> I presume you're still using the newer version of Keycloak than our
> quickstarts ship with? If you recall, I mentioned you needed to enable
> direct grants for the apiman-gateway-api client on newer KCs.
>
> We're going to be moving to a newer version of Keycloak fairly soon, but
> perhaps we can document that quirk in the meanwhile. However, I think we
> could add the direct grants to our sample realm definition, and it
> shouldn't break. I'll test it out now.
>
> On 05/01/2016 22:53, Paul Blair wrote:
>> Today I've been having a lot of trouble creating a gateway. When I put
>> in the gateway name, description, configuration endpoint and
>> configuration endpoint credentials, I kept getting "Authentication to
>> the gateway failed. Perhaps check that your credentials are correct." I
>> was able to log in to Keycloak using the apimanager credentials, so I
>> know they are correct.
>>
>> In the Keycloak log I see:
>>
>> WARN [org.keycloak.events] type=LOGIN_ERROR, realmId=apiman,
>> clientId=apiman-gateway-api, *userId=null*, ipAddress=[x.x.x.x],
>> error=not_allowed, grant_type=password,
>> auth_method=oauth_credentials, client_auth_method=client-secret
>>
>>
>> I couldn't figure out why the userId should be null. The apimanager user
>> has the apipublisher role, the apiman-gateway-api client has the proper
>> valid redirect URI and uses the openid-connect protocol with a
>> confidential access type, and the application configurations are using
>> the correct client secret.
>>
>> I was finally able to fix the issue by enabling direct access grants on
>> the apiman-gateway-api client. Should this be part of the default
>> configuration for apiman-gateway-api in the apiman-realm.json, file, or
>> is there something I'm misssing?
>>
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
More information about the Apiman-user
mailing list