From marc.savy at redhat.com Thu Dec 1 11:06:47 2016 From: marc.savy at redhat.com (Marc Savy) Date: Thu, 1 Dec 2016 16:06:47 +0000 Subject: [Apiman-user] Generic JWT plugin policy Message-ID: Hi, I just pushed a (very simple) generic JWT plugin policy to master. To try it out right now you will need to build it. Just check out the apiman/apiman-plugins repo and execute `mvn clean install`. The plugin coordinates will be G: io.apiman.plugins A: apiman-plugins-jwt-policy V: 1.2.9-SNAPSHOT. It isn't yet as feature-rich as the Keycloak plugin, but you can: - Require JWT. - Require claims (e.g. sub = foo). - Require transport security (TLS, SSL). - Require JWT be cryptographically signed (aka. JWS). - Validate JWT against a provided public key. - Remove auth tokens (prevent them reaching the backend). - Set maximum clock skew. I'll expand on this shortly to add something that will hopefully add some commonly-used features from the Keycloak plugin: - Allow extraction of roles for authorization - Forward token fields as headers (e.g. X-Sub = sub) Regards, Marc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20161201/639e6c1f/attachment.html From marc.savy at redhat.com Thu Dec 1 11:33:34 2016 From: marc.savy at redhat.com (Marc Savy) Date: Thu, 1 Dec 2016 16:33:34 +0000 Subject: [Apiman-user] Generic JWT plugin policy In-Reply-To: References: Message-ID: I should clarify that the purpose of this plugin is to work with any JWT provider (rather than being Keycloak-focussed). Let me know how it works for you! On 1 December 2016 at 16:06, Marc Savy wrote: > Hi, > > I just pushed a (very simple) generic JWT plugin policy to master. > > To try it out right now you will need to build it. Just check out the > apiman/apiman-plugins repo and execute `mvn clean install`. The plugin > coordinates will be G: io.apiman.plugins A: apiman-plugins-jwt-policy V: > 1.2.9-SNAPSHOT. > > It isn't yet as feature-rich as the Keycloak plugin, but you can: > > - Require JWT. > - Require claims (e.g. sub = foo). > - Require transport security (TLS, SSL). > - Require JWT be cryptographically signed (aka. JWS). > - Validate JWT against a provided public key. > - Remove auth tokens (prevent them reaching the backend). > - Set maximum clock skew. > > I'll expand on this shortly to add something that will hopefully add some > commonly-used features from the Keycloak plugin: > > - Allow extraction of roles for authorization > - Forward token fields as headers (e.g. X-Sub = sub) > > Regards, > Marc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20161201/ee04dc39/attachment.html From celso.agra at gmail.com Tue Dec 27 13:38:39 2016 From: celso.agra at gmail.com (Celso Agra) Date: Tue, 27 Dec 2016 15:38:39 -0300 Subject: [Apiman-user] No Access-Control-Allow-Origin header occurs when I call via Ajax Message-ID: Hi all, I'm new on apiman, and I'm trying to use some API calls with Jquery. But unfortunatelly I got this error: XMLHttpRequest cannot load https://apigtw.url/apiman-gateway///1.0/?apikey=9999999-8888-6666-33333-968a712ce68b. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://myapp.local' is therefore not allowed access. > The response had HTTP status code 500. So, Should I miss something on apiman configuration? Please, need help Best regards, -- --- *Celso Agra* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20161227/ff83edb1/attachment-0001.html From celso.agra at gmail.com Wed Dec 28 09:10:21 2016 From: celso.agra at gmail.com (Celso Agra) Date: Wed, 28 Dec 2016 11:10:21 -0300 Subject: [Apiman-user] How to configure CORS in APIMan? Problems with Headers in ajax Message-ID: Hi all, It's me again! So, I was looking for some solutions about my issue, and I found this: https://issues.jboss.org/browse/APIMAN-516 It seems this issue still occurs with me. I tries to send some headers via ajax, and get this response: > XMLHttpRequest cannot load https://apiman.url. Response to preflight > request doesn't pass access control check: No 'Access-Control-Allow-Origin' > header is present on the requested resource. Origin ' > http://192.168.56.22:8080' is therefore not allowed access. The response > had HTTP status code 500. Here is the Response Headers: > Connection:close > Content-Type:application/json > Date:Wed, 28 Dec 2016 13:54:08 GMT > Server:Apache/2.4.18 (Ubuntu) > Transfer-Encoding:chunked > X-Gateway-Error:API not public. > X-Powered-By:Undertow/1 and Here is the Request Headers: > Accept:*/* > Accept-Encoding:gzip, deflate, sdch, br > Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4 > Access-Control-Request-Headers:authorization, x-api-key > Access-Control-Request-Method:GET > Connection:keep-alive > Host: apiman.url > Origin:http://192.168.56.22:8080 > Referer:http://192.168.56.22:8080/app > User-Agent:Mozilla/5.0 ... > Query String Parameters > view source > view URL encoded Does anyone has the same problem? Best regards, -- --- *Celso Agra* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20161228/7ae23529/attachment.html