[Apiman-user] external Keycloak server

Eric Wittmann eric.wittmann at redhat.com
Fri Jan 29 08:35:20 EST 2016 

Excellent, thanks very much.

On 1/29/2016 8:31 AM, enrico wrote:
> Hi, no problem at all...
> It is only for a local test environment.
>
> The Apiman and the Keycloak instances are separated but in the same
> host "apigateway".
> Apiman runs on port 8080, Keycloak on 32000.
>
> Hope this helps.
>
> Enrico
>
>
> On Fri, Jan 29, 2016 at 2:16 PM, Eric Wittmann <eric.wittmann at redhat.com> wrote:
>> Any chance you can share your full realm file?  Perhaps with any secrets
>> redacted.  :)
>>
>> -Eric
>>
>>
>> On 1/29/2016 4:11 AM, enrico wrote:
>>>
>>> Hi Guy,
>>> thank you very much, it works!
>>>
>>> For anyone with the same problem, this is my realm.json client definition:
>>>
>>>       "applications" : [
>>>           {
>>>               "name" : "apiman",
>>>               "enabled" : true,
>>>               "directGrantsOnly" : true,
>>>               "standardFlowEnabled": true,
>>>               "baseUrl" : "http://apigateway:8080/",
>>>               "redirectUris" : [
>>>                   "http://apigateway:8080/apimanui/*",
>>>                   "http://apigateway:8080/apiman-gateway-api/*",
>>>                   "http://apigateway:8080/apiman-es/*",
>>>                   "http://apigateway:8080/apiman/*"
>>>               ],
>>>               "secret" : "password"
>>>           }
>>>       ]
>>>
>>> Thanks a lot again.
>>>
>>> Cheers,
>>> Enrico
>>>
>>> On Thu, Jan 28, 2016 at 10:02 PM, Guy Davis <guydavis.ca at gmail.com> wrote:
>>>>
>>>> Hi Enrico,
>>>>
>>>> I just made the move to Apiman 1.2.1 (running on port 8081) and Keycloak
>>>> 1.7.0 (running on port 8080), both behind an HAProxy instance.  I've
>>>> attached the section of my standalone-apiman.xml that worked for me.
>>>>
>>>> Note, I'm not using the default 'apiman' realm as I am securing a number
>>>> of
>>>> other web apps with Keycloak.  So I have 'MyRealm' with Keycloak client
>>>> of
>>>> 'apiman', which is set for:
>>>>
>>>> Client-protocol: openid-connect
>>>> Access Type: confidential
>>>> Direct Access Grants Enabled: ON
>>>> Valid redirect URIs:
>>>>
>>>> /apimanui/*
>>>> /apiman-gateway-api/*
>>>> /apiman-es/*
>>>> /apiman/*
>>>>
>>>> In that KC client, I have 3 realm roles for this:
>>>>
>>>> apipublisher
>>>> apiadmin
>>>> apiuser
>>>>
>>>> I had tried to keep these roles to just the KC client 'apiman', but it
>>>> wouldn't allow me to login to /apimanui unless the roles were realm-wide.
>>>> I'm going to try client-specific roles again now that apiman is 1.2.1.
>>>> I'm
>>>> using Postgres and ElasticSearch for storage, on other VMs.
>>>>
>>>> This was enough to let me login and view /apimanui when I had those roles
>>>> for my Keycloak user.
>>>>
>>>> Hope this helps,
>>>> Guy
>>>>
>>>> On Thu, Jan 28, 2016 at 1:08 AM, enrico <lists at comiti.name> wrote:
>>>>>
>>>>>
>>>>> Hi all,
>>>>> thanks for the responses.
>>>>>
>>>>> @Mark: yes, I know that is a release candidate but looks like the
>>>>> final version is near and, being on a new project, I wanted start with
>>>>> the very last versions :)
>>>>>
>>>>> A part from this, I have tried with 1.7.0.Final too, but I have the
>>>>> same problem:
>>>>>
>>>>> User gets a "Forbidden" page and Keycloak server logs say:
>>>>>
>>>>> WARN  [org.keycloak.events]:
>>>>> type=CODE_TO_TOKEN_ERROR,
>>>>> realmId=352d562a-f3e5-4b7a-99ad-4331cdfdf085, clientId=apimanui,
>>>>> userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials,
>>>>> grant_type=authorization_code
>>>>>
>>>>> Thanks a lot for the help, best regards,
>>>>> Enrico
>>>>>
>>>>>
>>>>> On Wed, Jan 27, 2016 at 5:49 PM, Marc Savy <marc.savy at redhat.com> wrote:
>>>>>>
>>>>>> Hi Enrico,
>>>>>>
>>>>>> We haven't tested with Keycloak 1.8, as this is only a candidate
>>>>>> release
>>>>>> at the moment (CR == RC).
>>>>>>
>>>>>> I can give it a try, though and will report back.
>>>>>>
>>>>>> Regards,
>>>>>> Marc
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Enrico Comiti
>>>>> _______________________________________________
>>>>> Apiman-user mailing list
>>>>> Apiman-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Apiman-user mailing list
>>> Apiman-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>
>>
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user

More information about the Apiman-user mailing list