Hi Marc, 

Yes!  Thanks for the workaround.  After your report, I went back and imported the default 'apiman' realm into my Keycloak 1.7 server.  In this case, I was able to login to /apimanui with no 403 error. Since my production deployment will involve multiple apps, I had setup APIMan to be secured in our single realm, all under a single KC Client named 'apiman' with client roles of 'apiuser, apipublisher, and apiadmin'.  After much trial and error I discovered the difference in my multi-app setup and the APIMan example realm was the level of the roles.  In particular, if the apiman roles are declared on the apiman client itself, then role mapping them to users won't allow login.  However, if the apiman roles are realm-wide roles, then a role mapping seems to work and users can login.

It's unfortunate that a single application like APIMan should require it's own realm-wide roles for security, not KC-client level roles.  None of the other apps that I have secured with Keycloak seem to require more than KC-client level roles.  So I consider this a defect in Keycloak, likely due to the use of the old Keycloak adapter in the APIMan 1.1.9 bundle.  I look forward to an upcoming release of APIMan with updated Keycloak integration.

Best regards,
Guy

On Thu, Dec 31, 2015 at 4:19 AM, Marc Savy <msavy@redhat.com> wrote:
Hi,

I actually tried this about a week or fortnight ago (see the thread with pblair), and I got it working pretty easily.

The only thing I had to change was in the Keycloak console, where I enabled 'Direct API Grants' on the apiman gateway api clients (or similar wording, I'm on mobile), and everything worked fine despite adaptor version mismatches.

Regards,
Marc

----- Original Message -----
From: Guy Davis <guydavis.ca@gmail.com>
To: Eric Wittmann <eric.wittmann@redhat.com>
Cc: apiman-user@lists.jboss.org
Sent: Thu, 31 Dec 2015 01:00:23 -0500 (EST)
Subject: Re: [Apiman-user] Integration with separate Keycloak server?

Hi Eric,

Thanks for the quick response.  I tried this using a separate Keycloak
1.7.0 server and am encountering errors that, after debugging thru the
Keycloak OAuth flow, seem linked to the use of the earlier version of the
Keycloak adapter which is bundled with APIMan 1.1.9.  Do you have an
planned release date for a Keycloak 1.7.0 compatible version of APIMan?
Continued successful integration between these two projects is a big
benefit.

If try to use APIMan 1.1.9 with the Keycloak 1.7.0 adapter for Wildfly, I
encounter a problem in
io.apiman.manager.ui.server.wildfly8,KeyCloakBearerTokenGenerator where the
use of:

    org.keycloak.util.Time,getTime()

errors out at runtime with ClassNotFoundException as this class was dropped
from the Keycloak 1.7.0 API.

Thanks again.
Guy

On Thu, Dec 17, 2015 at 3:35 PM, Eric Wittmann <eric.wittmann@redhat.com>
wrote:

> This is absolutely possible.  Have a look through the production guide and
> see if it helps:
>
> http://www.apiman.io/latest/production-guide.html
>
> If you continue to have issues let us know so that we can update the
> guide.  We already have at least one update to make:
>
> https://issues.jboss.org/browse/APIMAN-842
>
> -Eric
>
> On 12/17/2015 3:48 PM, Guy Davis wrote:
>
>> Good day,
>>
>> I currently have a test instance of Wildfly 9 running both Keycloak 1.5
>> and Apiman 1.1.8.  I'm using Keycloak 1.5 as Apiman makes a Keycloak
>> getTime() call somewhere that was removed in Keycloak 1.6's adapters.
>>
>> So I'm seeing that trying to put Keycloak and Apiman in the same Wildfly
>> container is probably not a good plan going forward due to
>> incompatibilities as each project progresses.
>>
>> Today, I noticed that Hawkular announced
>> <
>> http://www.hawkular.org/blog/2015/12/16/hawkular-1.0.0.Alpha8-released.html
>> >
>> that they now allow startup of their container with a property pointing
>> to a remote Keycloak server.
>>
>> Is this possible with Apiman today?  If not, is it on the roadmap?  I'd
>> like to upgrade to Keycloak 1.7
>> <http://blog.keycloak.org/2015/12/keycloak-170final-released.html>
>> following
>> this approach with Keycloak, Apiman, and Hawkular all in their own
>> containers.
>>
>> By the way, I'm really stoked to see the excellent integration and
>> progress being made by all these projects!  Keep up the good work.
>>
>> Thanks,
>> Guy
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>