[Apiman-user] external Keycloak server

Guy Davis guydavis.ca at gmail.com
Thu Jan 28 16:02:57 EST 2016


Hi Enrico,

I just made the move to Apiman 1.2.1 (running on port 8081) and Keycloak
1.7.0 (running on port 8080), both behind an HAProxy instance.  I've
attached the section of my standalone-apiman.xml that worked for me.

Note, I'm *not* using the default 'apiman' realm as I am securing a number
of other web apps with Keycloak.  So I have 'MyRealm' with Keycloak client
of 'apiman', which is set for:

   - Client-protocol: openid-connect
   - Access Type: confidential
   - Direct Access Grants Enabled: ON
   - Valid redirect URIs:
      - /apimanui/*
      - /apiman-gateway-api/*
      - /apiman-es/*
      - /apiman/*

In that KC client, I have 3 realm roles for this:

   - apipublisher
   - apiadmin
   - apiuser

I had tried to keep these roles to just the KC client 'apiman', but it
wouldn't allow me to login to /apimanui unless the roles were realm-wide.
I'm going to try client-specific roles again now that apiman is 1.2.1.  I'm
using Postgres and ElasticSearch for storage, on other VMs.

This was enough to let me login and view /apimanui when I had those roles
for my Keycloak user.

Hope this helps,
Guy

On Thu, Jan 28, 2016 at 1:08 AM, enrico <lists at comiti.name> wrote:

> Hi all,
> thanks for the responses.
>
> @Mark: yes, I know that is a release candidate but looks like the
> final version is near and, being on a new project, I wanted start with
> the very last versions :)
>
> A part from this, I have tried with 1.7.0.Final too, but I have the
> same problem:
>
> User gets a "Forbidden" page and Keycloak server logs say:
>
> WARN  [org.keycloak.events]:
> type=CODE_TO_TOKEN_ERROR,
> realmId=352d562a-f3e5-4b7a-99ad-4331cdfdf085, clientId=apimanui,
> userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials,
> grant_type=authorization_code
>
> Thanks a lot for the help, best regards,
> Enrico
>
>
> On Wed, Jan 27, 2016 at 5:49 PM, Marc Savy <marc.savy at redhat.com> wrote:
> > Hi Enrico,
> >
> > We haven't tested with Keycloak 1.8, as this is only a candidate release
> > at the moment (CR == RC).
> >
> > I can give it a try, though and will report back.
> >
> > Regards,
> > Marc
> >
>
>
>
> --
> Enrico Comiti
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160128/59ca5c82/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: standalone-apiman-keycloak.xml
Type: text/xml
Size: 2342 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/apiman-user/attachments/20160128/59ca5c82/attachment.xml 


More information about the Apiman-user mailing list