Hi, no problem at all...
It is only for a local test environment.
The Apiman and the Keycloak instances are separated but in the same
host "apigateway".
Apiman runs on port 8080, Keycloak on 32000.
Hope this helps.
Enrico
On Fri, Jan 29, 2016 at 2:16 PM, Eric Wittmann <eric.wittmann(a)redhat.com> wrote:
> Any chance you can share your full realm file? Perhaps with any secrets
> redacted. :)
>
> -Eric
>
>
> On 1/29/2016 4:11 AM, enrico wrote:
>>
>> Hi Guy,
>> thank you very much, it works!
>>
>> For anyone with the same problem, this is my realm.json client definition:
>>
>> "applications" : [
>> {
>> "name" : "apiman",
>> "enabled" : true,
>> "directGrantsOnly" : true,
>> "standardFlowEnabled": true,
>> "baseUrl" : "http://apigateway:8080/",
>> "redirectUris" : [
>> "http://apigateway:8080/apimanui/*",
>> "http://apigateway:8080/apiman-gateway-api/*",
>> "http://apigateway:8080/apiman-es/*",
>> "http://apigateway:8080/apiman/*"
>> ],
>> "secret" : "password"
>> }
>> ]
>>
>> Thanks a lot again.
>>
>> Cheers,
>> Enrico
>>
>> On Thu, Jan 28, 2016 at 10:02 PM, Guy Davis <guydavis.ca(a)gmail.com> wrote:
>>>
>>> Hi Enrico,
>>>
>>> I just made the move to Apiman 1.2.1 (running on port 8081) and Keycloak
>>> 1.7.0 (running on port 8080), both behind an HAProxy instance. I've
>>> attached the section of my standalone-apiman.xml that worked for me.
>>>
>>> Note, I'm not using the default 'apiman' realm as I am securing a
number
>>> of
>>> other web apps with Keycloak. So I have 'MyRealm' with Keycloak
client
>>> of
>>> 'apiman', which is set for:
>>>
>>> Client-protocol: openid-connect
>>> Access Type: confidential
>>> Direct Access Grants Enabled: ON
>>> Valid redirect URIs:
>>>
>>> /apimanui/*
>>> /apiman-gateway-api/*
>>> /apiman-es/*
>>> /apiman/*
>>>
>>> In that KC client, I have 3 realm roles for this:
>>>
>>> apipublisher
>>> apiadmin
>>> apiuser
>>>
>>> I had tried to keep these roles to just the KC client 'apiman', but
it
>>> wouldn't allow me to login to /apimanui unless the roles were
realm-wide.
>>> I'm going to try client-specific roles again now that apiman is 1.2.1.
>>> I'm
>>> using Postgres and ElasticSearch for storage, on other VMs.
>>>
>>> This was enough to let me login and view /apimanui when I had those roles
>>> for my Keycloak user.
>>>
>>> Hope this helps,
>>> Guy
>>>
>>> On Thu, Jan 28, 2016 at 1:08 AM, enrico <lists(a)comiti.name> wrote:
>>>>
>>>>
>>>> Hi all,
>>>> thanks for the responses.
>>>>
>>>> @Mark: yes, I know that is a release candidate but looks like the
>>>> final version is near and, being on a new project, I wanted start with
>>>> the very last versions :)
>>>>
>>>> A part from this, I have tried with 1.7.0.Final too, but I have the
>>>> same problem:
>>>>
>>>> User gets a "Forbidden" page and Keycloak server logs say:
>>>>
>>>> WARN [org.keycloak.events]:
>>>> type=CODE_TO_TOKEN_ERROR,
>>>> realmId=352d562a-f3e5-4b7a-99ad-4331cdfdf085, clientId=apimanui,
>>>> userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials,
>>>> grant_type=authorization_code
>>>>
>>>> Thanks a lot for the help, best regards,
>>>> Enrico
>>>>
>>>>
>>>> On Wed, Jan 27, 2016 at 5:49 PM, Marc Savy <marc.savy(a)redhat.com>
wrote:
>>>>>
>>>>> Hi Enrico,
>>>>>
>>>>> We haven't tested with Keycloak 1.8, as this is only a candidate
>>>>> release
>>>>> at the moment (CR == RC).
>>>>>
>>>>> I can give it a try, though and will report back.
>>>>>
>>>>> Regards,
>>>>> Marc
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Enrico Comiti
>>>> _______________________________________________
>>>> Apiman-user mailing list
>>>> Apiman-user(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
>>>
>>>
>>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/apiman-user