9:32 a.m.
Hi Marc,
Yes! Thanks for the workaround. After your report, I went back and
imported the default 'apiman
<https://raw.githubusercontent.com/apiman/apiman/master/distro/data/src/ma...
realm into my Keycloak 1.7 server. In this case, I was able to login to
/apimanui with no 403 error. Since my production deployment will involve
multiple apps, I had setup APIMan to be secured in our single realm, all
under a single KC Client named 'apiman' with client roles of 'apiuser,
apipublisher, and apiadmin'. After much trial and error I discovered the
difference in my multi-app setup and the APIMan example realm was the level
of the roles. In particular, if the apiman roles are declared on the
apiman client itself, then role mapping them to users won't allow login.
However, if the apiman roles are realm-wide roles, then a role mapping
seems to work and users can login.
It's unfortunate that a single application like APIMan should require it's
own realm-wide roles for security, not KC-client level roles. None of the
other apps that I have secured with Keycloak seem to require more than
KC-client level roles. So I consider this a defect in Keycloak, likely due
to the use of the old Keycloak adapter in the APIMan 1.1.9 bundle. I look
forward to an upcoming release of APIMan with updated Keycloak integration.
Best regards,
Guy
On Thu, Dec 31, 2015 at 4:19 AM, Marc Savy <msavy(a)redhat.com> wrote:
Hi,
I actually tried this about a week or fortnight ago (see the thread with
pblair), and I got it working pretty easily.
The only thing I had to change was in the Keycloak console, where I
enabled 'Direct API Grants' on the apiman gateway api clients (or similar
wording, I'm on mobile), and everything worked fine despite adaptor version
mismatches.
Regards,
Marc
----- Original Message -----
From: Guy Davis <guydavis.ca(a)gmail.com>
To: Eric Wittmann <eric.wittmann(a)redhat.com>
Cc: apiman-user(a)lists.jboss.org
Sent: Thu, 31 Dec 2015 01:00:23 -0500 (EST)
Subject: Re: [Apiman-user] Integration with separate Keycloak server?
Hi Eric,
Thanks for the quick response. I tried this using a separate Keycloak
1.7.0 server and am encountering errors that, after debugging thru the
Keycloak OAuth flow, seem linked to the use of the earlier version of the
Keycloak adapter which is bundled with APIMan 1.1.9. Do you have an
planned release date for a Keycloak 1.7.0 compatible version of APIMan?
Continued successful integration between these two projects is a big
benefit.
If try to use APIMan 1.1.9 with the Keycloak 1.7.0 adapter for Wildfly, I
encounter a problem in
io.apiman.manager.ui.server.wildfly8,KeyCloakBearerTokenGenerator where the
use of:
org.keycloak.util.Time,getTime()
errors out at runtime with ClassNotFoundException as this class was dropped
from the Keycloak 1.7.0 API.
Thanks again.
Guy
On Thu, Dec 17, 2015 at 3:35 PM, Eric Wittmann <eric.wittmann(a)redhat.com>
wrote:
> This is absolutely possible. Have a look through the production guide
and
> see if it helps:
>
> http://www.apiman.io/latest/production-guide.html
>
> If you continue to have issues let us know so that we can update the
> guide. We already have at least one update to make:
>
> https://issues.jboss.org/browse/APIMAN-842
>
> -Eric
>
> On 12/17/2015 3:48 PM, Guy Davis wrote:
>
>> Good day,
>>
>> I currently have a test instance of Wildfly 9 running both Keycloak 1.5
>> and Apiman 1.1.8. I'm using Keycloak 1.5 as Apiman makes a Keycloak
>> getTime() call somewhere that was removed in Keycloak 1.6's adapters.
>>
>> So I'm seeing that trying to put Keycloak and Apiman in the same Wildfly
>> container is probably not a good plan going forward due to
>> incompatibilities as each project progresses.
>>
>> Today, I noticed that Hawkular announced
>> <
>>
http://www.hawkular.org/blog/2015/12/16/hawkular-1.0.0.Alpha8-released.html
>> >
>> that they now allow startup of their container with a property pointing
>> to a remote Keycloak server.
>>
>> Is this possible with Apiman today? If not, is it on the roadmap? I'd
>> like to upgrade to Keycloak 1.7
>> <http://blog.keycloak.org/2015/12/keycloak-170final-released.html>
>> following
>> this approach with Keycloak, Apiman, and Hawkular all in their own
>> containers.
>>
>> By the way, I'm really stoked to see the excellent integration and
>> progress being made by all these projects! Keep up the good work.
>>
>> Thanks,
>> Guy
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>
10:22 a.m.
New subject: Integration with separate Keycloak server?
Hi Guy,
Would you mind filing a JIRA (https://issues.jboss.org/browse/APIMAN) with your issues as
described here (feel free to refer to your email in the archives
http://lists.jboss.org/pipermail/apiman-user/)
This sounds like an issue we should pay attention to and ensure is resolved satisfactorily
when we move to a newer version of Keycloak.
Regards,
Marc
----- Original Message -----
From: Guy Davis <guydavis.ca(a)gmail.com>
To: Marc Savy <msavy(a)redhat.com>
Cc: apiman-user(a)lists.jboss.org
Sent: Sat, 02 Jan 2016 10:32:13 -0500 (EST)
Subject: Re: [Apiman-user] Integration with separate Keycloak server?
Hi Marc,
Yes! Thanks for the workaround. After your report, I went back and
imported the default 'apiman
<https://raw.githubusercontent.com/apiman/apiman/master/distro/data/src/ma...
realm into my Keycloak 1.7 server. In this case, I was able to login to
/apimanui with no 403 error. Since my production deployment will involve
multiple apps, I had setup APIMan to be secured in our single realm, all
under a single KC Client named 'apiman' with client roles of 'apiuser,
apipublisher, and apiadmin'. After much trial and error I discovered the
difference in my multi-app setup and the APIMan example realm was the level
of the roles. In particular, if the apiman roles are declared on the
apiman client itself, then role mapping them to users won't allow login.
However, if the apiman roles are realm-wide roles, then a role mapping
seems to work and users can login.
It's unfortunate that a single application like APIMan should require it's
own realm-wide roles for security, not KC-client level roles. None of the
other apps that I have secured with Keycloak seem to require more than
KC-client level roles. So I consider this a defect in Keycloak, likely due
to the use of the old Keycloak adapter in the APIMan 1.1.9 bundle. I look
forward to an upcoming release of APIMan with updated Keycloak integration.
Best regards,
Guy
On Thu, Dec 31, 2015 at 4:19 AM, Marc Savy <msavy(a)redhat.com> wrote:
Hi,
I actually tried this about a week or fortnight ago (see the thread with
pblair), and I got it working pretty easily.
The only thing I had to change was in the Keycloak console, where I
enabled 'Direct API Grants' on the apiman gateway api clients (or similar
wording, I'm on mobile), and everything worked fine despite adaptor version
mismatches.
Regards,
Marc
----- Original Message -----
From: Guy Davis <guydavis.ca(a)gmail.com>
To: Eric Wittmann <eric.wittmann(a)redhat.com>
Cc: apiman-user(a)lists.jboss.org
Sent: Thu, 31 Dec 2015 01:00:23 -0500 (EST)
Subject: Re: [Apiman-user] Integration with separate Keycloak server?
Hi Eric,
Thanks for the quick response. I tried this using a separate Keycloak
1.7.0 server and am encountering errors that, after debugging thru the
Keycloak OAuth flow, seem linked to the use of the earlier version of the
Keycloak adapter which is bundled with APIMan 1.1.9. Do you have an
planned release date for a Keycloak 1.7.0 compatible version of APIMan?
Continued successful integration between these two projects is a big
benefit.
If try to use APIMan 1.1.9 with the Keycloak 1.7.0 adapter for Wildfly, I
encounter a problem in
io.apiman.manager.ui.server.wildfly8,KeyCloakBearerTokenGenerator where the
use of:
org.keycloak.util.Time,getTime()
errors out at runtime with ClassNotFoundException as this class was dropped
from the Keycloak 1.7.0 API.
Thanks again.
Guy
On Thu, Dec 17, 2015 at 3:35 PM, Eric Wittmann <eric.wittmann(a)redhat.com>
wrote:
> This is absolutely possible. Have a look through the production guide
and
> see if it helps:
>
> http://www.apiman.io/latest/production-guide.html
>
> If you continue to have issues let us know so that we can update the
> guide. We already have at least one update to make:
>
> https://issues.jboss.org/browse/APIMAN-842
>
> -Eric
>
> On 12/17/2015 3:48 PM, Guy Davis wrote:
>
>> Good day,
>>
>> I currently have a test instance of Wildfly 9 running both Keycloak 1.5
>> and Apiman 1.1.8. I'm using Keycloak 1.5 as Apiman makes a Keycloak
>> getTime() call somewhere that was removed in Keycloak 1.6's adapters.
>>
>> So I'm seeing that trying to put Keycloak and Apiman in the same Wildfly
>> container is probably not a good plan going forward due to
>> incompatibilities as each project progresses.
>>
>> Today, I noticed that Hawkular announced
>> <
>>
http://www.hawkular.org/blog/2015/12/16/hawkular-1.0.0.Alpha8-released.html
>> >
>> that they now allow startup of their container with a property pointing
>> to a remote Keycloak server.
>>
>> Is this possible with Apiman today? If not, is it on the roadmap? I'd
>> like to upgrade to Keycloak 1.7
>> <http://blog.keycloak.org/2015/12/keycloak-170final-released.html>
>> following
>> this approach with Keycloak, Apiman, and Hawkular all in their own
>> containers.
>>
>> By the way, I'm really stoked to see the excellent integration and
>> progress being made by all these projects! Keep up the good work.
>>
>> Thanks,
>> Guy
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>
3656
days inactive
3656
days old
1 comments
2 participants
participants (2)
-
Guy Davis -
Marc Savy