Hi Enrico, 

I just made the move to Apiman 1.2.1 (running on port 8081) and Keycloak 1.7.0 (running on port 8080), both behind an HAProxy instance.  I've attached the section of my standalone-apiman.xml that worked for me.  

Note, I'm not using the default 'apiman' realm as I am securing a number of other web apps with Keycloak.  So I have 'MyRealm' with Keycloak client of 'apiman', which is set for:
In that KC client, I have 3 realm roles for this:
I had tried to keep these roles to just the KC client 'apiman', but it wouldn't allow me to login to /apimanui unless the roles were realm-wide.  I'm going to try client-specific roles again now that apiman is 1.2.1.  I'm using Postgres and ElasticSearch for storage, on other VMs.

This was enough to let me login and view /apimanui when I had those roles for my Keycloak user.

Hope this helps,
Guy

On Thu, Jan 28, 2016 at 1:08 AM, enrico <lists@comiti.name> wrote:
Hi all,
thanks for the responses.

@Mark: yes, I know that is a release candidate but looks like the
final version is near and, being on a new project, I wanted start with
the very last versions :)

A part from this, I have tried with 1.7.0.Final too, but I have the
same problem:

User gets a "Forbidden" page and Keycloak server logs say:

WARN  [org.keycloak.events]:
type=CODE_TO_TOKEN_ERROR,
realmId=352d562a-f3e5-4b7a-99ad-4331cdfdf085, clientId=apimanui,
userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials,
grant_type=authorization_code

Thanks a lot for the help, best regards,
Enrico


On Wed, Jan 27, 2016 at 5:49 PM, Marc Savy <marc.savy@redhat.com> wrote:
> Hi Enrico,
>
> We haven't tested with Keycloak 1.8, as this is only a candidate release
> at the moment (CR == RC).
>
> I can give it a try, though and will report back.
>
> Regards,
> Marc
>



--
Enrico Comiti
_______________________________________________
Apiman-user mailing list
Apiman-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user