January 2016 - Apiman-user - Jboss List Archives

Re: [Apiman-user] external Keycloak server

by enrico

Hi all, thanks for the responses. @Mark: yes, I know that is a release candidate but looks like the final version is near and, being on a new project, I wanted start with the very last versions :) A part from this, I have tried with 1.7.0.Final too, but I have the same problem: User gets a "Forbidden" page and Keycloak server logs say: WARN [org.keycloak.events]: type=CODE_TO_TOKEN_ERROR, realmId=352d562a-f3e5-4b7a-99ad-4331cdfdf085, clientId=apimanui, userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials, grant_type=authorization_code Thanks a lot for the help, best regards, Enrico On Wed, Jan 27, 2016 at 5:49 PM, Marc Savy <marc.savy(a)redhat.com> wrote: > Hi Enrico, > > We haven't tested with Keycloak 1.8, as this is only a candidate release > at the moment (CR == RC). > > I can give it a try, though and will report back. > > Regards, > Marc > -- Enrico Comiti

10 years

3
5
0 / 0

Plugins page stack trace - APIMan 1.2.1 on PostgreSQL 9.5

by Guy Davis

Good day, I was hoping to follow the recently published steps <http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...> for using Keycloak to OAuth protect an API with APIMan. I already have the backend API (war file) protected by Keycloak directly. When I click on the 'Manage Plugins' link: [image: Inline image 1] I receive the error shown (full trace attached): [image: Inline image 2] Any tips on which Postgres table/column is the problem? At a higher level, I'm not sure I understand the blog post however. I've already protecting the various apiman *war files and their endpoints with Keycloak's authentication behavior (default is OpenID Connect). So if the APIMan endpoints are protected already, what does the OAuth policy provide further? Any clarification on the integration points between Keycloak and APIMan would be appreciated. Thanks much, Guy

10 years

2
1
0 / 0

ApiMan and ActiveMQ

by Anton Hughes

Hello I have seen that Apiman is provided as part of Fabric8, Very nice! I am wondering, does apiman currently, or is it planned to, provide the same features that it currently does to web services? So, policies could also be applied to activemq queues and topics? Thanks -- Anton Hughes

10 years

3
2
0 / 0

How to update backend implementation URL for published Service without changing the version

by Sanjay Melinamani

Hi All, I am using APIMAN 1.1.9 and for an existing API that I have published to consumers, I like to change its backend implementation end point URL without changing the API service version. I updated the backend implementation URL in database table "service_versions". I can see the updated URL from UI but still the gateway is using the old implementation URL specified. Does it cache the implementation URL once the service is published ? Is there anyway I can update the implementation URL for an existing service? Appreciate your time and help. Thanks Sanjay

10 years

2
11
0 / 0

Replacing Keycloak

by Amit Joshi

Hello, I have the following setup: Ping server -> external https url (something like https://pingfederate.mydomain.com) - through an apache reverse proxy. Real server is pingfederate001.internal.com. APIman -> external https url (something like https://apiman.mydomain.com) through ab apache reverse proxy. Real server is apiman001.internal.com. I am trying to replace keycloak with ping federate in APIMan. I have - Disabled the integrated Keycloak. - Changed the <kc:auth-server-url>https://pingfederate.mydomain.com/as/token.oauth2</kc:auth-server-url<https://pingfederate.mydomain.com/as/token.oauth2%3c/kc:auth-server-url>> However, when I access I see the following as the redirect - which is clearly wrong: https://pingfederate.mydomain.com/as/token.oauth2/relams/apiman/protocol/... with the following parameters: response_type=code client_id=apimanui redirect_uri=http://apiman001.internal.com I looked the code for the keycloak plugin but can't seem to see where the redirect is generated or set. I assume it is some additional properties or settings that I have to do or change code for so I can generate a Ping friendly redirect url etc. Appreciate any help or any pointers. Regards, Amit Joshi ________________________________ This e-mail, including accompanying communications and attachments, is strictly confidential and only for the intended recipient. Any retention, use or disclosure not expressly authorised by Markit is prohibited. This email is subject to all waivers and other terms at the following link: http://www.markit.com/en/about/legal/email-disclaimer.page Please visit http://www.markit.com/en/about/contact/contact-us.page for contact information on our offices worldwide.

10 years

2
5
0 / 0

external Keycloak server

by enrico

Hi all and thanks for this awesome project, I'm trying to setup an Apiman instance pointing to external Keycloak server (and Elastic search, I don't know if it could be related) but I'm not able to log in. The Apiman version is 1.2.1.Final and Keycloak 1.8.0.CR3. In standalone-apiman.xml I have removed the lines: https://github.com/apiman/apiman/blob/master/distro/wildfly9/src/main/res... and https://github.com/apiman/apiman/blob/master/distro/wildfly9/src/main/res... and set the auth server in https://github.com/apiman/apiman/blob/master/distro/wildfly9/src/main/res... The apiman-realm is taken from https://raw.githubusercontent.com/apiman/apiman/master/distro/data/src/ma... and I have substituted the "secret" fields with the values from standalone-apiman.xml. Relevant ERROR logs from Apiman org.keycloak.adapters.OAuthRequestAuthenticator are: failed to turn code into token status from server: 400 {"error_description":"Client secret not provided in request","error":"unauthorized_client"} Any hint? Cheers, Enrico

10 years

3
2
0 / 0

Authorization policy with Web Service

by Charles Moulliard

Hi, Could it be possible to use the existing authorization policy to handle WebService where according to the SOAPAction we have to authorize the call to a method or do we have to create a new authorization policy ? As a WebService is not managed as RESTfull service where the HTTP Operation (= verb) can be used to determine if we will create, read or update something and restrict access for a user based on a role (writer, reader or admin), I try to figure out how we could achieve that authorization (= role based) based on the SOAPAction for webservice without creating a different WebService with only one operation/method to handle the actions to create/delete/read/update ... Regards, Charles

10 years

2
1
0 / 0

1.2.1.Final / Wildfly 9 conflict with production deployment instructions

by Paul Blair

The production guide gives the following guidance about disabling the bundled Keycloak components: Because you will be using an external/standalone Keycloak server, it is useful to disable the Keycloak components that are bundled with the apiman quickstart. To do that, make the following modification to the standalone-apiman.xml file: <subsystem xmlns="urn:jboss:domain:keycloak:1.0"> <auth-server name="main-auth-server"> <enabled>false</enabled> <web-context>auth</web-context> </auth-server> </subsystem> When I start the server after upgrading from 1.2.0.Final, and comparing the standalone-apiman.xml config file with the old one, I get: 20:46:49,393 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) [wildfly-controller-1.0.2.Final.jar:1.0.2.Final] ... Caused by: javax.xml.stream.XMLStreamException: Unknown keycloak-server subsystem tag: auth-server Any idea what this configuration should look like now?

10 years

2
4
0 / 0

Announcement: apiman 1.2.x released!

by Eric Wittmann

Greetings, earthlings! At long last we are happy to announce the release of apiman version 1.2.1.Final. You can read more about this most excellent release here: http://www.apiman.io/blog/apiman/2016/01/22/release-1.2.html Thank you very much to everyone in the community for your interest and support. Hopefully 1.2 provides a bunch of functionality that folks have been asking for. Now that the first version of 1.2.x is out the door, expect us to be going back to our more frequent release schedule! -Eric

10 years

1
0
0 / 0

OAuth with non public API

by michele danieli

When considering non public API and applying a OAuth authentication policy, the application identifier must be provided using the api_key as a header? If so, does not it means that the user authorized client and the actual api consumer application have no strict relationship? Thanks Michele

10 years

2
5
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Apiman-user January 2016