My goal is minimize the amount of Apiman configuration that I need to do by sharing a single, common authentication Plan using the Keycloak plugin across all APIs while using an API specific authorization policy for each individual API.

As such,  I am trying to configure a single, global plan within Apiman that can be used for ensuring authentication policy using the Keycloak plugin which forwards all of my realm roles. This single plan would be assigned to all of my APIs in the Org, which would allow me to only have to configure the Keycloak realm information in one place. Then for each individual API, I was hoping to add a single Authorization policy plugin configured with endpoints and paths specific for each API.

Something like

Api1 ---> Keycloak Plan Abc

  +---->Authorization Policy (123)

  +---->Authorization Policy (456)

When I do this and call one of the API endpoints, I am getting the following error:

curl -k  -H "Authorization: Bearer $T"  https://localhost:9443/apiman-gateway/chassi/chassi-tenant-bff/1.0/mytenants

{"type":"Other","failureCode":10010,"responseCode":0,"message":"No roles have been extracted during authentication.  Make sure the authorization policy comes *after* a compatible authentication policy in your configuration.","headers":[]}

It would seem that the Keycloak plugin that is configured in the Plan assigned to the API is not forwarding the realm roles to the Authentication policy which is also assigned to the same API.

Is this by design? Do the authentication and authorization policies have to be within the same entity (ie. Plan, Api, etc) and not passed out of a plan to be used by downstream policies?  If so, is there another way to configure plans and policies that will allow me to accomplish my goal?

Thanks in advance!

Stephen