How to update backend implementation URL for published Service without changing the version
by Sanjay Melinamani
Hi All,
I am using APIMAN 1.1.9 and for an existing API that I have published to
consumers, I like to change its backend implementation end point URL
without changing the API service version.
I updated the backend implementation URL in database table
"service_versions". I can see the updated URL from UI but still the gateway
is using the old implementation URL specified.
Does it cache the implementation URL once the service is published ? Is
there anyway I can update the implementation URL for an existing service?
Appreciate your time and help.
Thanks
Sanjay
9 years, 11 months
Integration with separate Keycloak server?
by Guy Davis
Good day,
I currently have a test instance of Wildfly 9 running both Keycloak 1.5 and
Apiman 1.1.8. I'm using Keycloak 1.5 as Apiman makes a Keycloak getTime()
call somewhere that was removed in Keycloak 1.6's adapters.
So I'm seeing that trying to put Keycloak and Apiman in the same Wildfly
container is probably not a good plan going forward due to
incompatibilities as each project progresses.
Today, I noticed that Hawkular announced
<http://www.hawkular.org/blog/2015/12/16/hawkular-1.0.0.Alpha8-released.html>
that they now allow startup of their container with a property pointing to
a remote Keycloak server.
Is this possible with Apiman today? If not, is it on the roadmap? I'd
like to upgrade to Keycloak 1.7
<http://blog.keycloak.org/2015/12/keycloak-170final-released.html> following
this approach with Keycloak, Apiman, and Hawkular all in their own
containers.
By the way, I'm really stoked to see the excellent integration and progress
being made by all these projects! Keep up the good work.
Thanks,
Guy
10 years
Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password
by Ton Swieb
Hi Marc,
I got it working, without the SAML IdP, using the Keycloak Javascript
adapter.
I used the Keycloak JS-Console example and extended it with a javascript
function that does a call the apiman-gateway after I have a logged in
session with Keycloak. Something like:
var client = new XMLHttpRequest();
client.open("GET", url, false);
client.setRequestHeader("Accept", "application/json");
client.setRequestHeader("Authorization", "Bearer " +
keycloak.token);
client.send();
The keycloak.token is available after a call to keycloak.login(). Both are
part of the Keycloak javascript adapter.
Underneath the Javascript adapter still does a call similair to
http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token to
retrieve the access token. With the difference that the grant_type used is
authorization_code instead of password and a code is supplied instead of a
username/password combination. I assume the code is retrieved from the
keycloak session. Not sure how it exactly works, but it works.
Next step will be to test it with the SAML IdP instead of standalone
Keycloak, but I do not expect it to behave any differently.
Regards,
Ton
2015-12-08 19:00 GMT+01:00 Ton Swieb <ton(a)finalist.nl>:
> Hi Marc,
>
> I am using the following setup:
> 1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman
> realm) -> Client
> 2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman
> gateway -> Client
>
> The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP.
> It is unclear to me why it matters which IdP I am using, because my
> assumption is that:
>
> - I end up with a valid Keycloak session within the apiman realm
> - the SAML 2.0 token should only be used by Keycloak to issue a login
> session to the client.
> - the client itself will never directly use anyhting from the SAML 2.0
> IdP, but should only use the stuff that Keycloak mapped from the SAML token
> onto its own token.
>
> I did ask the question on the keycloak mailinglist, but from a different
> angle. I am afraid the solution for my problem will be somewhere in between.
> Any help from your site is greatly appreciated :-)
>
> Regards,
>
> Ton
>
>
> Message: 5
> Date: Tue, 8 Dec 2015 16:58:26 +0000
> From: Marc Savy <marc.savy(a)redhat.com>
> Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token
> for logged in user without using username/password
> To: apiman-user(a)lists.jboss.org
> Message-ID: <56670C32.3060000(a)redhat.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> To expand on that - depending on exactly what type of IdP (and
> specifically which technology) you were delegating to, it may be possible
> to do what you're asking - or you may need to write something custom.
>
> Can you provide more detail?
>
> Also, if you have very specific Keycloak questions you might be best
> served on the keycloak-user mailing list, which is extremely active (
> https://lists.jboss.org/mailman/listinfo/keycloak-user).
>
> On 08/12/2015 16:53, Marc Savy wrote:
> > Hi Ton,
> >
> > I'm not quite sure what you mean, but I think what you're asking for is
> > brokerage/delegation in the form:
> >
> > 1. Client <-> Keycloak <-> Other IdP.
> > 2. Client <-> apiman gateway
> >
> > Regards,
> > Marc
> >
> > On 08/12/2015 15:28, Ton Swieb wrote:
> > > Hi,
> > >
> > > I would like to secure my api's using the Keycloak OAuth2 policy.
> > > Similair to what is described in the blog post of Marc Savy:
> > >
> http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
> > >
> > >
> > > Only with the difference that Keycloak delegates the login to a third
> > > party IdP. After logging in at this third party IdP I end up with an
> > > active session in the Apiman UI (the apiman realm of Keycloak).
> > >
> > > Now I am wondering how to get the bearer token, because I do not have a
> > > username/password combination I can use to make a call like:
> > >
> > > |curl -X POST
> > >
> http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> > > -H "Content-Type: application/x-www-form-urlencoded" -d
> > > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
> > > 'client_id=apiman'|
> > >
> > > Because the username/password combination is linked to the third party
> > > IdP and not to Keycloak itself.
> > >
> > > Is there another way to obtain the bearer token?
> > >
> > > Perhaps this is aquestion which I should address at the keycloak
> > > mailinglist. I will try to ask the question there as well.
> > >
> > > Regards,
> > >
> > > Ton
> > >
> > >
> > > _______________________________________________
> > > Apiman-user mailing list
> > > Apiman-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/apiman-user
> > >
> >
>
10 years, 1 month
Receiving HTML instead of JSON from Keycloak when trying to point apimanui to the API gateway
by Paul Blair
I'm getting a strange error in my production deployment which I'm having difficulty troubleshooting.
After deploying the apiman UI and gateway on separate hosts, according to the production guide I have to point the API Manager to the API gateway. If I hit the "New Gateway" button, I need to add the URI of the gateway. I'm assuming this should be
[PROTOCOL]://[GATEWAY_HOST]:[GATEWAY_PORT]/apiman-gateway-api/ -- which should also be set as the redirect URI for the gateway in the Apiman realm in Keycloak (followed by a star). This is different from my public endpoint, which is [PROTOCOL]://[GATEWAY_HOST]:[GATEWAY_PORT]/apiman-gateway
When I use the apimanager user (set up in the default realm file) to test the gateway in the "New Gateway" screen I'm getting this error:
Gateway Configuration Invalid
Something has gone wrong when testing the Gateway. Hopefully the details (below) will help you figure out what.
org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: org.apache.http.conn.EofSensorInputStream@450a7e3f; line: 1, column: 2]
If I look at what's happening in the API manager log, it looks like the error is coming from getting HTML back from Keycloak where it's expecting JSON. Is there some configuration I'm missing? Here are the relevant API manager server logs:
21:38:49,715 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-1) Bearer AUTHENTICATED
21:38:49,717 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-1) AuthenticatedActionsValve.invoke https://[APIMANUI]/apiman/gateways
...
21:38:50,796 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1) Opening connection {s}->https://[GATEWAY]
...
21:38:50,864 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1) Executing request GET /apiman-gateway-api/system/status HTTP/1.1
21:38:50,864 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1) Proxy auth state: UNCHALLENGED
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-0 >> GET /apiman-gateway-api/system/status HTTP/1.1
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-0 >> Authorization: Basic YXBpbWFuYWdlcjphcGltYW4xMjMh
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-0 >> Host: [GATEWAY]
...
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-0 << "HTTP/1.1 302 Found[\r][\n]"
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-0 << "Expires: 0[\r][\n]"
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-0 << "Set-Cookie: OAuth_Token_Request_State=19/8069a233-7d97-4f9d-8696-673f72815124; secure[\r][\n]"
21:38:50,882 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-0 << "Location: https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon..."
...
21:38:50,894 DEBUG [org.apache.http.client.protocol.ResponseProcessCookies] (default task-1) Cookie accepted [OAuth_Token_Request_State="19/8069a233-7d97-4f9d-8696-673f72815124", version:0, domain:ec2-52-34-81-26.us-west-2.compute.amazonaws.com, path:/apiman-gateway-api/system, expiry:null]
21:38:50,894 DEBUG [org.apache.http.impl.client.DefaultRedirectStrategy] (default task-1) Redirect requested to location 'https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon...'
21:38:50,900 DEBUG [org.apache.http.impl.execchain.RedirectExec] (default task-1) Resetting target auth state
21:38:50,900 DEBUG [org.apache.http.impl.execchain.RedirectExec] (default task-1) Redirecting to 'https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon...' via {s}->https://[KEYCLOAK]
...
21:38:50,902 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default task-1) Connection request: [route: {s}->https://[KEYCLOAK]][total kept alive: 1; route allocated: 0 of 2; total allocated: 1 of 20]
...
21:38:50,935 DEBUG [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] (default task-1) Connection established 172.17.1.52:46173<->172.31.41.242:8443
21:38:50,936 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1) Executing request GET /auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true HTTP/1.1
21:38:50,936 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1) Proxy auth state: UNCHALLENGED
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >> GET /auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true HTTP/1.1
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >> Authorization: Basic YXBpbWFuYWdlcjphcGltYW4xMjMh
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >> Host: [KEYCLOAK]
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >> User-Agent: Apache-HttpClient/4.5 (Java/1.8.0_25)
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >> Accept-Encoding: gzip,deflate
...
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "HTTP/1.1 200 OK[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "X-Powered-By: Undertow/1[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "Set-Cookie: KC_RESTART=[COOKIE]; Version=1; Path=/auth/realms/apiman; HttpOnly[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "Server: WildFly/9[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "Content-Security-Policy: frame-src 'self'[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "Date: Mon, 14 Dec 2015 21:38:50 GMT[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "Connection: keep-alive[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "Content-Type: text/html[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "Content-Length: 4171[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "[\r][\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "<html xmlns="http://www.w3.org/1999/xhtml" class="login-pf">[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "<head>[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << " <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << " <meta name="viewport" content="width=device-width,initial-scale=1"/>[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << " <title> Log in to apiman[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "</title>[\n]"
... more html...
10 years, 1 month
Production deployment questions
by Paul Blair
Hi - I'm working through the production deployment guide and have a few questions concerning the standalone-apiman.xml file.
In the file, I see several entries like this (one each for apiman.war, apimanui.war, and apiman-gateway-api.war).
<kc:secure-deployment xmlns:kc="urn:jboss:domain:keycloak:1.0" name="apiman.war">
<kc:realm>apiman</kc:realm>
<kc:resource>apiman</kc:resource>
<kc:credential name="secret">password</kc:credential>
1. Is "password" supposed to be replaced by some credential? This isn't mentioned in the instructions; my guess is that this credential is used only for applications that request REST Direct Access Grants, and that apiman doesn't. Is that correct?
2. If I'm configuring the gateway as a separate service, can I remove the apimanui.war secure-deployment entry? Correspondingly, when I configure the standalone API manager, do I remove the apiman-gateway-api.war entry?
3. Is it possible to set properties that appear in apiman.properties by way of Java system properties or in a <system-properties> configuration in the standalone-apiman.xml file?
10 years, 1 month
Having trouble connecting to Amazon Elasticsearch service
by Paul Blair
Not quite sure what to make of this: I'm getting
org.apache.http.NoHttpResponseException: [endpoint_URI]:443 failed to respond
But if I do:
curl https://[endpont_URI]:443
I get a response from Elasticsearch-this is because I have the Amazon Elasticsearch instance permissioned to accept any connections from the IP address where apiman is running.
The apiman configurations look like this:
apiman.es.protocol=http
apiman.es.host=[endpoint_URI]
apiman.es.port=443
apiman.es.username=
apiman.es.password=
Changing protocol from http to https doesn't appear to help, nor does removing the username and password properties entirely. Any suggestions?
10 years, 1 month
Strange exception trying to initialize apiman database with Postgres
by Paul Blair
I'm getting a weird data type exception when issuing a request to the API manager running against a Postgres instance:
I'm using apiman 1.1.9 with the DDL for Postgres found here: https://raw.githubusercontent.com/apiman/apiman/apiman-1.1.9.Final/distro...
The DDL does make that into a text column; I'm not sure why Hibernate doesn't like it and instead wants a VARCHAR that is too big for Postgres. This is on PostgreSQL 9.4.4; my driver configuration in the standalone-apiman.xml uses postgresql-9.3-1102-jdbc41.jar and doesn't have any particular validation configuration.
Relevant stack:
UT005023: Exception handling request to /apiman/currentuser/info: org.jboss.resteasy.spi.UnhandledException: org.jboss.weld.exceptions.WeldException: WELD-000049: Unable to invoke public void io.apiman.manager.api.jpa.EntityManagerFactoryAccessor.postConstruct() on io.apiman.manager.api.jpa.EntityManagerFactoryAccessor@325203f1
...
Caused by: javax.persistence.PersistenceException: Unable to build entity manager factory
...
Caused by: org.hibernate.HibernateException: Wrong column type in public.auditlog for column data. Found: text, expected
: varchar(2147483647)
at org.hibernate.mapping.Table.validateColumns(Table.java:372) [hibernate-core-4.3.7.Final.jar:4.3.7.Final]
at org.hibernate.cfg.Configuration.validateSchema(Configuration.java:1338) [hibernate-core-4.3.7.Final.jar:4.3.7
.Final]
...
10 years, 1 month
Using property placeholder in policy configuration which evaluate at runtime using system properties
by Ton Swieb
Hi,
Is it possible to use property placeholders in policy configuration. The
property placeholders should be evaluated at runtime based on a Java system
property.
For example.
I have configured the realm property in the Keycloak Oauth policy to be:
http://localhost:8080/auth/realms/apiman
But instead of setting protocol://host:port hardcoded I want to use
something like:
{{protocol}}://{{host}:{port}/auth/realms/apiman
or
{{baseUrl}}/auth/realms/apiman
The reason I want to use property placeholders is because of our Docker
build.
The Docker image is setup with a preconfigured Apiman installation. So the
image already has some service published an policies applied. Only when
building the image it is unknown on which host the image will run.
In particular. The Keycloak OAuth policy is complaining as follows:
{
"type": "Authentication",
"failureCode": 11004,
"responseCode": 401,
"message": "Token audience doesn't match domain. Token issuer is
http://192.168.99.100:8080/auth/realms/apiman, but URL from
configuration is http://localhost:8080/auth/realms/apiman",
"headers": {}
}
I hope to solve this by using property placeholders which evaluate at
runtime using a system property.
Regards,
Ton
10 years, 1 month
Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token for logged in user without using username/password (Marc Savy)
by Ton Swieb
Hi Marc,
I am using the following setup:
1. Client -> Keycloak (apiman realm) -> SAML 2.0 IdP -> Keycloak (apiman
realm) -> Client
2. Client -> apiman gateway -> Keycloak OAuth policy -> back-end -> apiman
gateway -> Client
The IdP is a SAML 2.0 IdP. I believe it is SimpleSAMLPHP.
It is unclear to me why it matters which IdP I am using, because my
assumption is that:
- I end up with a valid Keycloak session within the apiman realm
- the SAML 2.0 token should only be used by Keycloak to issue a login
session to the client.
- the client itself will never directly use anyhting from the SAML 2.0
IdP, but should only use the stuff that Keycloak mapped from the SAML token
onto its own token.
I did ask the question on the keycloak mailinglist, but from a different
angle. I am afraid the solution for my problem will be somewhere in between.
Any help from your site is greatly appreciated :-)
Regards,
Ton
Message: 5
Date: Tue, 8 Dec 2015 16:58:26 +0000
From: Marc Savy <marc.savy(a)redhat.com>
Subject: Re: [Apiman-user] Keycloak OAuth2 policy: Get bearer token
for logged in user without using username/password
To: apiman-user(a)lists.jboss.org
Message-ID: <56670C32.3060000(a)redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
To expand on that - depending on exactly what type of IdP (and specifically
which technology) you were delegating to, it may be possible to do what
you're asking - or you may need to write something custom.
Can you provide more detail?
Also, if you have very specific Keycloak questions you might be best served
on the keycloak-user mailing list, which is extremely active (
https://lists.jboss.org/mailman/listinfo/keycloak-user).
On 08/12/2015 16:53, Marc Savy wrote:
> Hi Ton,
>
> I'm not quite sure what you mean, but I think what you're asking for is
> brokerage/delegation in the form:
>
> 1. Client <-> Keycloak <-> Other IdP.
> 2. Client <-> apiman gateway
>
> Regards,
> Marc
>
> On 08/12/2015 15:28, Ton Swieb wrote:
> > Hi,
> >
> > I would like to secure my api's using the Keycloak OAuth2 policy.
> > Similair to what is described in the blog post of Marc Savy:
> >
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
> >
> >
> > Only with the difference that Keycloak delegates the login to a third
> > party IdP. After logging in at this third party IdP I end up with an
> > active session in the Apiman UI (the apiman realm of Keycloak).
> >
> > Now I am wondering how to get the bearer token, because I do not have a
> > username/password combination I can use to make a call like:
> >
> > |curl -X POST
> > http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> > -H "Content-Type: application/x-www-form-urlencoded" -d
> > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
> > 'client_id=apiman'|
> >
> > Because the username/password combination is linked to the third party
> > IdP and not to Keycloak itself.
> >
> > Is there another way to obtain the bearer token?
> >
> > Perhaps this is aquestion which I should address at the keycloak
> > mailinglist. I will try to ask the question there as well.
> >
> > Regards,
> >
> > Ton
> >
> >
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >
>
10 years, 1 month
