4 p.m.
I'm getting a strange error in my production deployment which I'm having
difficulty troubleshooting.
After deploying the apiman UI and gateway on separate hosts, according to the production
guide I have to point the API Manager to the API gateway. If I hit the "New
Gateway" button, I need to add the URI of the gateway. I'm assuming this should
be
[PROTOCOL]://[GATEWAY_HOST]:[GATEWAY_PORT]/apiman-gateway-api/ -- which should also be set
as the redirect URI for the gateway in the Apiman realm in Keycloak (followed by a star).
This is different from my public endpoint, which is
[PROTOCOL]://[GATEWAY_HOST]:[GATEWAY_PORT]/apiman-gateway
When I use the apimanager user (set up in the default realm file) to test the gateway in
the "New Gateway" screen I'm getting this error:
Gateway Configuration Invalid
Something has gone wrong when testing the Gateway. Hopefully the details (below) will help
you figure out what.
org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 60)):
expected a valid value (number, String, array, object, 'true', 'false' or
'null')
at [Source: org.apache.http.conn.EofSensorInputStream@450a7e3f; line: 1, column: 2]
If I look at what's happening in the API manager log, it looks like the error is
coming from getting HTML back from Keycloak where it's expecting JSON. Is there some
configuration I'm missing? Here are the relevant API manager server logs:
21:38:49,715 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-1) Bearer
AUTHENTICATED
21:38:49,717 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-1)
AuthenticatedActionsValve.invoke https://[APIMANUI]/apiman/gateways
...
21:38:50,796 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1)
Opening connection {s}->https://[GATEWAY]
...
21:38:50,864 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1)
Executing request GET /apiman-gateway-api/system/status HTTP/1.1
21:38:50,864 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1) Proxy
auth state: UNCHALLENGED
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-0 >> GET
/apiman-gateway-api/system/status HTTP/1.1
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-0 >>
Authorization: Basic YXBpbWFuYWdlcjphcGltYW4xMjMh
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-0 >>
Host: [GATEWAY]
...
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-0 <<
"HTTP/1.1 302 Found[\r][\n]"
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-0 <<
"Expires: 0[\r][\n]"
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-0 <<
"Set-Cookie: OAuth_Token_Request_State=19/8069a233-7d97-4f9d-8696-673f72815124;
secure[\r][\n]"
21:38:50,882 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-0 <<
"Location:
https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon...
...
21:38:50,894 DEBUG [org.apache.http.client.protocol.ResponseProcessCookies] (default
task-1) Cookie accepted
[OAuth_Token_Request_State="19/8069a233-7d97-4f9d-8696-673f72815124", version:0,
domain:ec2-52-34-81-26.us-west-2.compute.amazonaws.com, path:/apiman-gateway-api/system,
expiry:null]
21:38:50,894 DEBUG [org.apache.http.impl.client.DefaultRedirectStrategy] (default task-1)
Redirect requested to location
'https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true'
21:38:50,900 DEBUG [org.apache.http.impl.execchain.RedirectExec] (default task-1)
Resetting target auth state
21:38:50,900 DEBUG [org.apache.http.impl.execchain.RedirectExec] (default task-1)
Redirecting to
'https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true'
via {s}->https://[KEYCLOAK]
...
21:38:50,902 DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default
task-1) Connection request: [route: {s}->https://[KEYCLOAK]][total kept alive: 1; route
allocated: 0 of 2; total allocated: 1 of 20]
...
21:38:50,935 DEBUG [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator]
(default task-1) Connection established 172.17.1.52:46173<->172.31.41.242:8443
21:38:50,936 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1)
Executing request GET
/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true
HTTP/1.1
21:38:50,936 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-1) Proxy
auth state: UNCHALLENGED
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >> GET
/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true
HTTP/1.1
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >>
Authorization: Basic YXBpbWFuYWdlcjphcGltYW4xMjMh
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >>
Host: [KEYCLOAK]
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >>
User-Agent: Apache-HttpClient/4.5 (Java/1.8.0_25)
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1) http-outgoing-1 >>
Accept-Encoding: gzip,deflate
...
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"HTTP/1.1 200 OK[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"X-Powered-By: Undertow/1[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"Set-Cookie: KC_RESTART=[COOKIE]; Version=1; Path=/auth/realms/apiman;
HttpOnly[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"Server: WildFly/9[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"X-Frame-Options: SAMEORIGIN[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"Content-Security-Policy: frame-src 'self'[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"Date: Mon, 14 Dec 2015 21:38:50 GMT[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"Connection: keep-alive[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"Content-Type: text/html[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"Content-Length: 4171[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"[\r][\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"<html xmlns="http://www.w3.org/1999/xhtml"
class="login-pf">[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"<head>[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" />[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "
<meta name="viewport"
content="width=device-width,initial-scale=1"/>[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 << "
<title> Log in to apiman[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1) http-outgoing-1 <<
"</title>[\n]"
... more html...
9:59 a.m.
Can you try a couple of things that might help debug this, please:
- Log into the KC console, go to the apiman-gateway-api client (or whatever you called
it), and flip on `direct grants only`.
- Save and try again
Please let me know the result!
On 14/12/2015 22:00, Paul Blair wrote:
I'm getting a strange error in my production deployment which
I'm having
difficulty troubleshooting.
After deploying the apiman UI and gateway on separate hosts, according
to the production guide I have to point the API Manager to the API
gateway. If I hit the "New Gateway" button, I need to add the URI of the
gateway. I'm assuming this should be
[PROTOCOL]://[GATEWAY_HOST]:[GATEWAY_PORT]/apiman-gateway-api/ -- which
should also be set as the redirect URI for the gateway in the Apiman
realm in Keycloak (followed by a star). This is different from my public
endpoint, which is [PROTOCOL]://[GATEWAY_HOST]:[GATEWAY_PORT]/apiman-gateway
When I use the apimanager user (set up in the default realm file) to
test the gateway in the "New Gateway" screen I'm getting this error:
*Gateway Configuration Invalid*
Something has gone wrong when testing the Gateway. Hopefully the details
(below) will help you figure out what.
org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 60)):
expected a valid value (number, String, array, object, 'true', 'false' or
'null')
at [Source: org.apache.http.conn.EofSensorInputStream@450a7e3f; line: 1, column: 2]
If I look at what's happening in the API manager log, it looks like the
error is coming from getting HTML back from Keycloak where it's
expecting JSON. Is there some configuration I'm missing? Here are the
relevant API manager server logs:
21:38:49,715 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default
task-1) Bearer AUTHENTICATED
21:38:49,717 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler]
(default task-1) AuthenticatedActionsValve.invoke
https://[APIMANUI]/apiman/gateways
...
21:38:50,796 DEBUG [org.apache.http.impl.execchain.MainClientExec]
(default task-1) Opening connection {s}->https://[GATEWAY]
...
21:38:50,864 DEBUG [org.apache.http.impl.execchain.MainClientExec]
(default task-1) Executing request GET /apiman-gateway-api/system/status
HTTP/1.1
21:38:50,864 DEBUG [org.apache.http.impl.execchain.MainClientExec]
(default task-1) Proxy auth state: UNCHALLENGED
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1)
http-outgoing-0 >> GET /apiman-gateway-api/system/status HTTP/1.1
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1)
http-outgoing-0 >> Authorization: Basic YXBpbWFuYWdlcjphcGltYW4xMjMh
21:38:50,866 DEBUG [org.apache.http.headers] (default task-1)
http-outgoing-0 >> Host: [GATEWAY]
...
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-0 << "HTTP/1.1 302 Found[\r][\n]"
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-0 << "Expires: 0[\r][\n]"
21:38:50,881 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-0 << "Set-Cookie:
OAuth_Token_Request_State=19/8069a233-7d97-4f9d-8696-673f72815124;
secure[\r][\n]"
21:38:50,882 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-0 << "Location:
https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon...
...
21:38:50,894 DEBUG
[org.apache.http.client.protocol.ResponseProcessCookies] (default
task-1) Cookie accepted
[OAuth_Token_Request_State="19/8069a233-7d97-4f9d-8696-673f72815124",
version:0, domain:ec2-52-34-81-26.us-west-2.compute.amazonaws.com,
path:/apiman-gateway-api/system, expiry:null]
21:38:50,894 DEBUG [org.apache.http.impl.client.DefaultRedirectStrategy]
(default task-1) Redirect requested to location
'https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true'
21:38:50,900 DEBUG [org.apache.http.impl.execchain.RedirectExec]
(default task-1) Resetting target auth state
21:38:50,900 DEBUG [org.apache.http.impl.execchain.RedirectExec]
(default task-1) Redirecting to
'https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true'
via {s}->https://[KEYCLOAK]
...
21:38:50,902 DEBUG
[org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default
task-1) Connection request: [route: {s}->https://[KEYCLOAK]][total kept
alive: 1; route allocated: 0 of 2; total allocated: 1 of 20]
...
21:38:50,935 DEBUG
[org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] (default
task-1) Connection established 172.17.1.52:46173<->172.31.41.242:8443
21:38:50,936 DEBUG [org.apache.http.impl.execchain.MainClientExec]
(default task-1) Executing request GET
/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true
HTTP/1.1
21:38:50,936 DEBUG [org.apache.http.impl.execchain.MainClientExec]
(default task-1) Proxy auth state: UNCHALLENGED
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1)
http-outgoing-1 >> GET
/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apiman-gateway-api&redirect_uri=https%3A%2F%2F[GATEWAY]%2Fapiman-gateway-api%2Fsystem%2Fstatus&state=19%2F8069a233-7d97-4f9d-8696-673f72815124&login=true
HTTP/1.1
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1)
http-outgoing-1 >> Authorization: Basic YXBpbWFuYWdlcjphcGltYW4xMjMh
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1)
http-outgoing-1 >> Host: [KEYCLOAK]
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1)
http-outgoing-1 >> User-Agent: Apache-HttpClient/4.5 (Java/1.8.0_25)
21:38:50,936 DEBUG [org.apache.http.headers] (default task-1)
http-outgoing-1 >> Accept-Encoding: gzip,deflate
...
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "HTTP/1.1 200 OK[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "X-Powered-By: Undertow/1[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "Set-Cookie: KC_RESTART=[COOKIE]; Version=1;
Path=/auth/realms/apiman; HttpOnly[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "Server: WildFly/9[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "Content-Security-Policy: frame-src
'self'[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "Date: Mon, 14 Dec 2015 21:38:50 GMT[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "Connection: keep-alive[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "Content-Type: text/html[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "Content-Length: 4171[\r][\n]"
21:38:50,960 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "[\r][\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "<html xmlns="http://www.w3.org/1999/xhtml"
class="login-pf">[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "<head>[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << " <meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" />[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << " <meta name="viewport"
content="width=device-width,initial-scale=1"/>[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << " <title> Log in to apiman[\n]"
21:38:50,961 DEBUG [org.apache.http.wire] (default task-1)
http-outgoing-1 << "</title>[\n]"
… more html…
_______________________________________________
Apiman-user mailing list
Apiman-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user
10:46 a.m.
I'm still seeing the same behavior.
Under "Clients > Settings" in Keycloak I turned on "Direct Access
Grants
Enabled" -- is that the setting you were referring to?
I then tried also turning off "Standard Flow Enabled" and get back the
error: "Client is not allowed to initiate browser login with given
response_type. Standard flow is disabled for the client."
I get the same errors using a REST client.
On 12/15/15, 10:59 AM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
apimanager
10:53 a.m.
No, at least in the version of KC I'm using, it is clients ->
"apiman-gateway-api" -> settings -> "Direct Grants Only"
http://i.imgur.com/1pDlEiQ.png
On 15/12/2015 16:46, Paul Blair wrote:
I'm still seeing the same behavior.
Under "Clients > Settings" in Keycloak I turned on "Direct Access
Grants
Enabled" -- is that the setting you were referring to?
I then tried also turning off "Standard Flow Enabled" and get back the
error: "Client is not allowed to initiate browser login with given
response_type. Standard flow is disabled for the client."
I get the same errors using a REST client.
On 12/15/15, 10:59 AM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
> apimanager
11:04 a.m.
Looks like they must have changed this screen significantly with the
Keycloak 1.7.0.Final release:
http://tinypic.com/r/vy9shx/9
I am not wedded to Keycloak 1.7 -- should I go back to 1.6.1.Final?
On 12/15/15, 11:53 AM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
No, at least in the version of KC I'm using, it is clients ->
"apiman-gateway-api" -> settings -> "Direct Grants Only"
http://i.imgur.com/1pDlEiQ.png
On 15/12/2015 16:46, Paul Blair wrote:
> I'm still seeing the same behavior.
>
> Under "Clients > Settings" in Keycloak I turned on "Direct Access
Grants
> Enabled" -- is that the setting you were referring to?
>
> I then tried also turning off "Standard Flow Enabled" and get back the
> error: "Client is not allowed to initiate browser login with given
> response_type. Standard flow is disabled for the client."
>
> I get the same errors using a REST client.
>
>
> On 12/15/15, 10:59 AM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
>
>> apimanager
>
11:29 a.m.
Aha. So, we haven't done any testing whatsoever with KC 1.7. So we're not really
familiar with it (yet).
I think in our quickstarts (etc) we're actually still using 1.2.x.
That being said, if you hit (for instance) the status endpoint using `curl` do you have
any luck?
curl -v --user apimanager:apiman123!
http://localhost:8080/apiman-gateway-api/system/status/
Substitute auth info if needed.
I'm not sure what our adapters will do, given the large changes that have happened in
the intervening period.
----- Original Message -----
From: "Paul Blair" <pblair(a)clearme.com>
To: "Marc Savy" <marc.savy(a)redhat.com>
Cc: apiman-user(a)lists.jboss.org
Sent: Tuesday, 15 December, 2015 5:04:24 PM
Subject: Re: [Apiman-user] Receiving HTML instead of JSON from Keycloak when trying to
point apimanui to the API gateway
Looks like they must have changed this screen significantly with the
Keycloak 1.7.0.Final release:
http://tinypic.com/r/vy9shx/9
I am not wedded to Keycloak 1.7 -- should I go back to 1.6.1.Final?
On 12/15/15, 11:53 AM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
No, at least in the version of KC I'm using, it is clients ->
"apiman-gateway-api" -> settings -> "Direct Grants Only"
http://i.imgur.com/1pDlEiQ.png
On 15/12/2015 16:46, Paul Blair wrote:
> I'm still seeing the same behavior.
>
> Under "Clients > Settings" in Keycloak I turned on "Direct Access
Grants
> Enabled" -- is that the setting you were referring to?
>
> I then tried also turning off "Standard Flow Enabled" and get back the
> error: "Client is not allowed to initiate browser login with given
> response_type. Standard flow is disabled for the client."
>
> I get the same errors using a REST client.
>
>
> On 12/15/15, 10:59 AM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
>
>> apimanager
>
_______________________________________________
Apiman-user mailing list
Apiman-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user
11:42 a.m.
If I use the curl command you provided, I get a 302 with a redirect to
Keycloak at /auth/realms/apiman/protocol/openid-connect/auth ... I changed
the password for the apimanager user to make sure I was using the right
password.
If I hit that URI with a REST client, I get a "Login to apiman" HTML page
back -- presumably it followed the redirect.
I have a feeling Keycloak 1.7 may be expecting an additional parameter in
the redirect URI. I wasn't seeing this when using 1.6.1.Final last week.
On 12/15/15, 12:29 PM, "Marc Savy" <msavy(a)redhat.com> wrote:
/apiman-gateway-api/system/status/
<http://localhost:8080/apiman-gateway-api/system/status/>
1:05 p.m.
I've just finished attempting to reproduce your situation - but unfortunately (!) it
works fine for me! All I needed to do was turn on 'direct grants API' for
apiman-gateway-api.
Can you (suggest it to be off-list) send me your standalone.xml for apiman, please? Feel
free to anonymise as appropriate.
On 15/12/2015 17:42, Paul Blair wrote:
If I use the curl command you provided, I get a 302 with a redirect
to
Keycloak at /auth/realms/apiman/protocol/openid-connect/auth ... I changed
the password for the apimanager user to make sure I was using the right
password.
If I hit that URI with a REST client, I get a "Login to apiman" HTML page
back -- presumably it followed the redirect.
I have a feeling Keycloak 1.7 may be expecting an additional parameter in
the redirect URI. I wasn't seeing this when using 1.6.1.Final last week.
On 12/15/15, 12:29 PM, "Marc Savy" <msavy(a)redhat.com> wrote:
> /apiman-gateway-api/system/status/
> <http://localhost:8080/apiman-gateway-api/system/status/>
3:01 p.m.
For the benefit of the list -- thanks to Marc and Eric's help, this issue
was resolved.
Currently the standalone.xml has to have enable-basic-auth set to true;
i.e.,
<kc:enable-basic-auth>true</kc:enable-basic-auth>
-- no other auth mechanism is currently supported.
On 12/15/15, 2:05 PM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
I've just finished attempting to reproduce your situation - but
unfortunately (!) it works fine for me! All I needed to do was turn on
'direct grants API' for apiman-gateway-api.
Can you (suggest it to be off-list) send me your standalone.xml for
apiman, please? Feel free to anonymise as appropriate.
On 15/12/2015 17:42, Paul Blair wrote:
> If I use the curl command you provided, I get a 302 with a redirect to
> Keycloak at /auth/realms/apiman/protocol/openid-connect/auth ... I
>changed
> the password for the apimanager user to make sure I was using the right
> password.
>
> If I hit that URI with a REST client, I get a "Login to apiman" HTML
>page
> back -- presumably it followed the redirect.
>
> I have a feeling Keycloak 1.7 may be expecting an additional parameter
>in
> the redirect URI. I wasn't seeing this when using 1.6.1.Final last week.
>
> On 12/15/15, 12:29 PM, "Marc Savy" <msavy(a)redhat.com> wrote:
>
> > /apiman-gateway-api/system/status/
> > <http://localhost:8080/apiman-gateway-api/system/status/>
>
3:54 p.m.
To clarify - this is specifically referring to communication between the manager and the
api gateway.
Glad to be of assistance!
On 15/12/2015 21:01, Paul Blair wrote:
For the benefit of the list -- thanks to Marc and Eric's help,
this issue
was resolved.
Currently the standalone.xml has to have enable-basic-auth set to true;
i.e.,
<kc:enable-basic-auth>true</kc:enable-basic-auth>
-- no other auth mechanism is currently supported.
On 12/15/15, 2:05 PM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
> I've just finished attempting to reproduce your situation - but
> unfortunately (!) it works fine for me! All I needed to do was turn on
> 'direct grants API' for apiman-gateway-api.
>
> Can you (suggest it to be off-list) send me your standalone.xml for
> apiman, please? Feel free to anonymise as appropriate.
>
> On 15/12/2015 17:42, Paul Blair wrote:
>> If I use the curl command you provided, I get a 302 with a redirect to
>> Keycloak at /auth/realms/apiman/protocol/openid-connect/auth ... I
>> changed
>> the password for the apimanager user to make sure I was using the right
>> password.
>>
>> If I hit that URI with a REST client, I get a "Login to apiman" HTML
>> page
>> back -- presumably it followed the redirect.
>>
>> I have a feeling Keycloak 1.7 may be expecting an additional parameter
>> in
>> the redirect URI. I wasn't seeing this when using 1.6.1.Final last week.
>>
>> On 12/15/15, 12:29 PM, "Marc Savy" <msavy(a)redhat.com> wrote:
>>
>>> /apiman-gateway-api/system/status/
>>> <http://localhost:8080/apiman-gateway-api/system/status/>
>>
>
_______________________________________________
Apiman-user mailing list
Apiman-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user
6:20 a.m.
Additionally, we do have a feature request for supporting auth
mechanisms other than BASIC for connecting the Manager to the Gateway API:
https://issues.jboss.org/browse/APIMAN-205
If anyone has specific auth schemes they'd like to see supported, feel
free to add that as a comment to the jira ticket.
Finally, it's worth noting that OAuth *is* supported by the Gateway API,
but not by the Manager (which connects *to* the Gateway API).
-Eric
On 12/15/2015 4:54 PM, Marc Savy wrote:
To clarify - this is specifically referring to communication between
the manager and the api gateway.
Glad to be of assistance!
On 15/12/2015 21:01, Paul Blair wrote:
> For the benefit of the list -- thanks to Marc and Eric's help, this issue
> was resolved.
>
> Currently the standalone.xml has to have enable-basic-auth set to true;
> i.e.,
>
> <kc:enable-basic-auth>true</kc:enable-basic-auth>
>
> -- no other auth mechanism is currently supported.
>
>
> On 12/15/15, 2:05 PM, "Marc Savy" <marc.savy(a)redhat.com> wrote:
>
>> I've just finished attempting to reproduce your situation - but
>> unfortunately (!) it works fine for me! All I needed to do was turn on
>> 'direct grants API' for apiman-gateway-api.
>>
>> Can you (suggest it to be off-list) send me your standalone.xml for
>> apiman, please? Feel free to anonymise as appropriate.
>>
>> On 15/12/2015 17:42, Paul Blair wrote:
>>> If I use the curl command you provided, I get a 302 with a redirect to
>>> Keycloak at /auth/realms/apiman/protocol/openid-connect/auth ... I
>>> changed
>>> the password for the apimanager user to make sure I was using the right
>>> password.
>>>
>>> If I hit that URI with a REST client, I get a "Login to apiman"
HTML
>>> page
>>> back -- presumably it followed the redirect.
>>>
>>> I have a feeling Keycloak 1.7 may be expecting an additional parameter
>>> in
>>> the redirect URI. I wasn't seeing this when using 1.6.1.Final last week.
>>>
>>> On 12/15/15, 12:29 PM, "Marc Savy" <msavy(a)redhat.com> wrote:
>>>
>>>> /apiman-gateway-api/system/status/
>>>> <http://localhost:8080/apiman-gateway-api/system/status/>
>>>
>>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
_______________________________________________
Apiman-user mailing list
Apiman-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user
3760
days inactive
3762
days old
10 comments
4 participants
participants (4)
-
Eric Wittmann -
Marc Savy -
Marc Savy -
Paul Blair