[Apiman-user] Should the apiman-gateway-api client have direct access grants enabled?
Paul Blair
pblair at clearme.com
Thu Jan 7 10:38:19 EST 2016
Thanks for that -- for various reasons I need to wait until Monday to try
it, but after I posted this I had made the change in our realm file and it
worked.
Sorry if I had asked the same question twice. I had looked at the docs but
forgotten that it had come up on the list.
On 1/7/16, 6:58 AM, "Marc Savy" <marc.savy at redhat.com> wrote:
>I've updated the realm definition. As previously indicated, it seems to
>work fine with the version of KC that ships with our quickstart set-ups,
>in addition to 'fixing' newer ones.
>
>Paul: if you could try it out that'd be great. It's a tiny change, but
>it's one of those areas that could have more impact that initially
>anticipated :-).
>
>Check out the PR here - https://github.com/apiman/apiman/pull/318
>
>On 06/01/2016 09:52, Marc Savy wrote:
>> I presume you're still using the newer version of Keycloak than our
>> quickstarts ship with? If you recall, I mentioned you needed to enable
>> direct grants for the apiman-gateway-api client on newer KCs.
>>
>> We're going to be moving to a newer version of Keycloak fairly soon, but
>> perhaps we can document that quirk in the meanwhile. However, I think we
>> could add the direct grants to our sample realm definition, and it
>> shouldn't break. I'll test it out now.
>>
>> On 05/01/2016 22:53, Paul Blair wrote:
>>> Today I've been having a lot of trouble creating a gateway. When I put
>>> in the gateway name, description, configuration endpoint and
>>> configuration endpoint credentials, I kept getting "Authentication to
>>> the gateway failed. Perhaps check that your credentials are correct."
>>>I
>>> was able to log in to Keycloak using the apimanager credentials, so I
>>> know they are correct.
>>>
>>> In the Keycloak log I see:
>>>
>>> WARN [org.keycloak.events] type=LOGIN_ERROR, realmId=apiman,
>>> clientId=apiman-gateway-api, *userId=null*, ipAddress=[x.x.x.x],
>>> error=not_allowed, grant_type=password,
>>> auth_method=oauth_credentials, client_auth_method=client-secret
>>>
>>>
>>> I couldn't figure out why the userId should be null. The apimanager
>>>user
>>> has the apipublisher role, the apiman-gateway-api client has the proper
>>> valid redirect URI and uses the openid-connect protocol with a
>>> confidential access type, and the application configurations are using
>>> the correct client secret.
>>>
>>> I was finally able to fix the issue by enabling direct access grants on
>>> the apiman-gateway-api client. Should this be part of the default
>>> configuration for apiman-gateway-api in the apiman-realm.json, file, or
>>> is there something I'm misssing?
>>>
>>>
>>>
>>> _______________________________________________
>>> Apiman-user mailing list
>>> Apiman-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>
More information about the Apiman-user
mailing list