<div dir="ltr">Hi Enrico, <div><br></div><div>I just made the move to Apiman 1.2.1 (running on port 8081) and Keycloak 1.7.0 (running on port 8080), both behind an HAProxy instance. I've attached the section of my standalone-apiman.xml that worked for me. </div><div><br></div><div>Note, I'm <b>not</b> using the default 'apiman' realm as I am securing a number of other web apps with Keycloak. So I have 'MyRealm' with Keycloak client of 'apiman', which is set for:</div><div><ul><li>Client-protocol: openid-connect<br></li><li>Access Type: confidential</li><li>Direct Access Grants Enabled: ON</li><li>Valid redirect URIs:</li><ul><li>/apimanui/*</li><li>/apiman-gateway-api/*</li><li>/apiman-es/*</li><li>/apiman/*</li></ul></ul></div><div>In that KC client, I have 3 realm roles for this:</div><div><ul><li>apipublisher</li><li>apiadmin</li><li>apiuser</li></ul><div>I had tried to keep these roles to just the KC client 'apiman', but it wouldn't allow me to login to /apimanui unless the roles were realm-wide. I'm going to try client-specific roles again now that apiman is 1.2.1. I'm using Postgres and ElasticSearch for storage, on other VMs.</div></div><div><br></div><div>This was enough to let me login and view /apimanui when I had those roles for my Keycloak user.</div><div><br></div><div>Hope this helps,</div><div>Guy</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 28, 2016 at 1:08 AM, enrico <span dir="ltr"><<a href="mailto:lists@comiti.name" target="_blank">lists@comiti.name</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
thanks for the responses.<br>
<br>
@Mark: yes, I know that is a release candidate but looks like the<br>
final version is near and, being on a new project, I wanted start with<br>
the very last versions :)<br>
<br>
A part from this, I have tried with 1.7.0.Final too, but I have the<br>
same problem:<br>
<br>
User gets a "Forbidden" page and Keycloak server logs say:<br>
<br>
WARN [org.keycloak.events]:<br>
type=CODE_TO_TOKEN_ERROR,<br>
realmId=352d562a-f3e5-4b7a-99ad-4331cdfdf085, clientId=apimanui,<br>
userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials,<br>
grant_type=authorization_code<br>
<br>
Thanks a lot for the help, best regards,<br>
Enrico<br>
<span class="im HOEnZb"><br>
<br>
On Wed, Jan 27, 2016 at 5:49 PM, Marc Savy <<a href="mailto:marc.savy@redhat.com">marc.savy@redhat.com</a>> wrote:<br>
> Hi Enrico,<br>
><br>
> We haven't tested with Keycloak 1.8, as this is only a candidate release<br>
> at the moment (CR == RC).<br>
><br>
> I can give it a try, though and will report back.<br>
><br>
> Regards,<br>
> Marc<br>
><br>
<br>
<br>
<br>
</span><span class="HOEnZb"><font color="#888888">--<br>
Enrico Comiti<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Apiman-user mailing list<br>
<a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><br>
</div></div></blockquote></div><br></div>