<div dir="ltr"><span style="color:rgb(0,0,0);font-size:12.8000001907349px">Hi!</span><div style="color:rgb(0,0,0);font-size:12.8000001907349px"><br></div><div style="color:rgb(0,0,0);font-size:12.8000001907349px">One nice thing you could add to your post is the use of Postman REST Client App [1] (Chrome addon).</div><div style="color:rgb(0,0,0);font-size:12.8000001907349px">Postman offers a way to get an oAuth2 access_token (JWT) and add it to your request. All visually without have to get the access_token using 'curl' or 'httpie' (CLI utilities).</div><div style="color:rgb(0,0,0);font-size:12.8000001907349px"><br></div><div style="color:rgb(0,0,0);font-size:12.8000001907349px">See Postman Helpers [2]. I used it for my demos when working with REST endpoints. I managed to get it working with the APIMan/Keycloak oauth2.</div><div style="color:rgb(0,0,0);font-size:12.8000001907349px"><br></div><div style="color:rgb(0,0,0);font-size:12.8000001907349px">[1] <a href="https://www.getpostman.com/" target="_blank">https://www.getpostman.com/</a></div><div style="color:rgb(0,0,0);font-size:12.8000001907349px">[2] <a href="https://www.getpostman.com/docs/helpers">https://www.getpostman.com/docs/helpers</a></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">________________________<br>Rafael Torres Coelho Soares<br></div></div>
<br><div class="gmail_quote">On Tue, Sep 1, 2015 at 12:41 PM, Charles Moulliard <span dir="ltr"><<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Fixed after changing user parameter. I'm able to get an access token<br>
<br>
So i will be able to take some screenshots now & elaborate the instructions as addon of the excellent apiman & keycloak blog article ;-)<br>
<br>
Sent from my iPhone<br>
<div class="HOEnZb"><div class="h5"><br>
> On 1 sept. 2015, at 17:36, Charles Moulliard <<a href="mailto:cmoullia@redhat.com">cmoullia@redhat.com</a>> wrote:<br>
><br>
> Works better now. I have also reseted the password to demo and I get an account temporarily disabled<br>
><br>
> Sent from my iPhone<br>
><br>
>> On 1 sept. 2015, at 17:22, Marc Savy <<a href="mailto:marc.savy@redhat.com">marc.savy@redhat.com</a>> wrote:<br>
>><br>
>> <a href="http://localhost:8080/auth/admin/master/console/#/realms/demo/login-settings" rel="noreferrer" target="_blank">http://localhost:8080/auth/admin/master/console/#/realms/demo/login-settings</a> -> 'Direct Grant API' -> ON<br>
>><br>
>> Now, curl -X POST <a href="http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token" rel="noreferrer" target="_blank">http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token</a> -H "Content-Type: application/x-www-form-urlencoded" -d "username=demo" -d 'password=demo' -d 'grant_type=password' -d 'client_id=demo'<br>
>><br>
>> Works fine!<br>
>><br>
>> As a side-note: I would also point your readers towards the Keycloak docs, as this may not be an optimal setup for their real-world requirements (e.g. they may want redirected login-screens, user registration, SAML, etc, etc).<br>
>><br>
>>> On 01/09/2015 15:54, Charles Moulliard wrote:<br>
>>><br>
>>> On 01/09/15 11:57, Marc Savy wrote:<br>
>>>> I would suggest you refer to the Keycloak documentation, as there are<br>
>>>> several ways to skin this particular cat. For instance, how you decide<br>
>>>> to set up your Keycloak configuration is highly dependent upon your<br>
>>>> specific requirements; whether you want token grants to be via the<br>
>>>> API-only, or an HTTP redirect based approach (see:<br>
>>>> <a href="https://keycloak.github.io/docs/userguide/html/access-types.html" rel="noreferrer" target="_blank">https://keycloak.github.io/docs/userguide/html/access-types.html</a>); how<br>
>>>> you wish to divide up your application; the level of security you<br>
>>>> desire; any identity provision sources...<br>
>>>><br>
>>>> At any rate, once you have Keycloak going, you would log in and click<br>
>>>> on 'create realm' (in my blog demo, that would be<br>
>>>> <a href="http://localhost:8080/auth/admin/master/console/#/create/realm" rel="noreferrer" target="_blank">http://localhost:8080/auth/admin/master/console/#/create/realm</a>) -<br>
>>>> then, add your client, roles, users, etc.<br>
>>>><br>
>>>>> I have created a very basic use case :<br>
>>> - realm = demo,<br>
>>> - a user = demo and<br>
>>> - a client = demo where Direct Grants Only = ON and Access Type = Public<br>
>>><br>
>>> but when I issue a request to get the Access Token,<br>
>>><br>
>>> curl -X POST<br>
>>> <a href="http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token" rel="noreferrer" target="_blank">http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token</a> -H<br>
>>> "Content-Type: application/x-www-form-urlencoded" -d "username=demo" -d<br>
>>> 'password=demo' -d 'grant_type=password' -d 'client_id=demo'<br>
>>><br>
>>> I get this error --><br>
>>><br>
>>> {"error_description":"Direct Grant REST API not<br>
>>> enabled","error":"not_enabled"}<br>
>>><br>
>>> Here is the demo.json exported file =<br>
>>> <a href="https://gist.github.com/cmoulliard/c25fef751886ace8c354" rel="noreferrer" target="_blank">https://gist.github.com/cmoulliard/c25fef751886ace8c354</a><br>
>>><br>
>>><br>
>>>> To make your life simple for demo purposes, I suggest your clients be<br>
>>>> 'Direct Grants Only' and 'Public'.<br>
>>>><br>
>>>> I'm not entirely clear from your email whether you want to script<br>
>>>> this, or provide walk-through steps, or provide a pre-baked config<br>
>>>> (like the blog).<br>
>>>>> I would like to include instructions (= step by step instructions) +<br>
>>> screenshots and also a file (= json exported config) for end users not<br>
>>> interested to setup Keycloak<br>
>>>><br>
>>>> Do you need to use roles and authorization? Or just simple<br>
>>>> authentication?<br>
>>>><br>
>>>> Regards,<br>
>>>> Marc<br>
>>>><br>
>>>><br>
>>>>> On 01/09/2015 06:20, Charles Moulliard wrote:<br>
>>>>> This blog refers to a link where we will import a pre-defined config<br>
>>>>><br>
>>>>> First, log into the Keycloak server. If you’re following our<br>
>>>>> walkthrough, the log-in details are identical to those mentioned earlier<br>
>>>>> (admin, admin123!). You can see that there is already an apiman realm<br>
>>>>> defined, but we’re going to create a new one, so navigate to Add Realm<br>
>>>>> (top right), and import and upload "this demonstration realm definition<br>
>>>>> - <a href="http://www.apiman.io/blog/resources/2015-06-04/stottie.json" rel="noreferrer" target="_blank">http://www.apiman.io/blog/resources/2015-06-04/stottie.json</a>"; it<br>
>>>>> provides an extremely simple setup where we have:<br>
>>>>><br>
>>>>> What I would like to explain how we can create this "stottie" config in<br>
>>>>> Keycloak (step by step, screenshots)<br>
>>>>><br>
>>>>>> On 01/09/15 02:19, Eric Wittmann wrote:<br>
>>>>>> +1<br>
>>>>>><br>
>>>>>> Thanks for responding, Rafael. I had intended to link this very same<br>
>>>>>> tutorial but then it slipped my mind. :)<br>
>>>>>><br>
>>>>>>> On 8/31/2015 5:48 PM, Rafael Soares wrote:<br>
>>>>>>> Charles,<br>
>>>>>>><br>
>>>>>>> Recently I followed the "/Keycloak and dagger: Securing your<br>
>>>>> services<br>
>>>>>>> with OAuth2/" tutorial [1] and it worked fine! This howto is great!<br>
>>>>>>><br>
>>>>>>> You don't need to do anything on the Fuse/Camel side. All setup is<br>
>>>>> done<br>
>>>>>>> in the ApiMan side. ApiMan comes with a KeyCloak service embedded and<br>
>>>>>>> all you need to do is install the Apiman oauth2 keycloak plugin and<br>
>>>>>>> configure your service policy to use it. The tutorial [1]<br>
>>>>> describes each<br>
>>>>>>> step in detail.<br>
>>>>>>><br>
>>>>>>> [1]<br>
>>>>> <a href="http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html" rel="noreferrer" target="_blank">http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html</a><br>
>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> ________________________<br>
>>>>>>> Rafael Torres Coelho Soares<br>
>>>>>>><br>
>>>>>>> On Mon, Aug 31, 2015 at 2:38 PM, Charles Moulliard<br>
>>>>>>> <<a href="mailto:cmoulliard@redhat.com">cmoulliard@redhat.com</a> <mailto:<a href="mailto:cmoulliard@redhat.com">cmoulliard@redhat.com</a>>> wrote:<br>
>>>>>>><br>
>>>>>>> Hi,<br>
>>>>>>><br>
>>>>>>> I have already asked this question but I need some help to<br>
>>>>> figure<br>
>>>>>>> out<br>
>>>>>>> what are the steps required to setup Oauth 2 with Keycloak as<br>
>>>>> I'm<br>
>>>>>>> preparing a demo<br>
>>>>>>> (<a href="https://github.com/FuseByExample/rest-dsl-in-action" rel="noreferrer" target="_blank">https://github.com/FuseByExample/rest-dsl-in-action</a>)<br>
>>>>>>> covering the point about how to secure & govern Camel REST DSL<br>
>>>>>>> endpoints<br>
>>>>>>> on JBoss Fuse using Apiman & Keycloak ?<br>
>>>>>>><br>
>>>>>>> I just need the list of the steps to perform from the Web Site.<br>
>>>>>>> Base on<br>
>>>>>>> the input, I will take some screenshots and include the<br>
>>>>> instructions<br>
>>>>>>> within the demo content. Such input could be reused to write<br>
>>>>> a blog<br>
>>>>>>> article too ;-)<br>
>>>>>>><br>
>>>>>>> Regards,<br>
>>>>>>><br>
>>>>>>> Charles<br>
>>>>>>> _______________________________________________<br>
>>>>>>> Apiman-user mailing list<br>
>>>>>>> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a> <mailto:<a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a>><br>
>>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> _______________________________________________<br>
>>>>>>> Apiman-user mailing list<br>
>>>>>>> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
>>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><br>
>>>>><br>
>>>>> _______________________________________________<br>
>>>>> Apiman-user mailing list<br>
>>>>> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
>>>>> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><br>
>><br>
</div></div></blockquote></div><br></div>