Hi Guy,
thank you very much, it works!
For anyone with the same problem, this is my realm.json client definition:
"applications" : [
{
"name" : "apiman",
"enabled" : true,
"directGrantsOnly" : true,
"standardFlowEnabled": true,
"baseUrl" : "http://apigateway:8080/",
"redirectUris" : [
"http://apigateway:8080/apimanui/*",
"http://apigateway:8080/apiman-gateway-api/*",
"http://apigateway:8080/apiman-es/*",
"http://apigateway:8080/apiman/*"
],
"secret" : "password"
}
]
Thanks a lot again.
Cheers,
Enrico
On Thu, Jan 28, 2016 at 10:02 PM, Guy Davis <guydavis.ca(a)gmail.com> wrote:
Hi Enrico,
I just made the move to Apiman 1.2.1 (running on port 8081) and Keycloak
1.7.0 (running on port 8080), both behind an HAProxy instance. I've
attached the section of my standalone-apiman.xml that worked for me.
Note, I'm not using the default 'apiman' realm as I am securing a number of
other web apps with Keycloak. So I have 'MyRealm' with Keycloak client of
'apiman', which is set for:
Client-protocol: openid-connect
Access Type: confidential
Direct Access Grants Enabled: ON
Valid redirect URIs:
/apimanui/*
/apiman-gateway-api/*
/apiman-es/*
/apiman/*
In that KC client, I have 3 realm roles for this:
apipublisher
apiadmin
apiuser
I had tried to keep these roles to just the KC client 'apiman', but it
wouldn't allow me to login to /apimanui unless the roles were realm-wide.
I'm going to try client-specific roles again now that apiman is 1.2.1. I'm
using Postgres and ElasticSearch for storage, on other VMs.
This was enough to let me login and view /apimanui when I had those roles
for my Keycloak user.
Hope this helps,
Guy
On Thu, Jan 28, 2016 at 1:08 AM, enrico <lists(a)comiti.name> wrote:
>
> Hi all,
> thanks for the responses.
>
> @Mark: yes, I know that is a release candidate but looks like the
> final version is near and, being on a new project, I wanted start with
> the very last versions :)
>
> A part from this, I have tried with 1.7.0.Final too, but I have the
> same problem:
>
> User gets a "Forbidden" page and Keycloak server logs say:
>
> WARN [org.keycloak.events]:
> type=CODE_TO_TOKEN_ERROR,
> realmId=352d562a-f3e5-4b7a-99ad-4331cdfdf085, clientId=apimanui,
> userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials,
> grant_type=authorization_code
>
> Thanks a lot for the help, best regards,
> Enrico
>
>
> On Wed, Jan 27, 2016 at 5:49 PM, Marc Savy <marc.savy(a)redhat.com> wrote:
> > Hi Enrico,
> >
> > We haven't tested with Keycloak 1.8, as this is only a candidate release
> > at the moment (CR == RC).
> >
> > I can give it a try, though and will report back.
> >
> > Regards,
> > Marc
> >
>
>
>
> --
> Enrico Comiti
> _______________________________________________
> Apiman-user mailing list
> Apiman-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/apiman-user