[Apiman-user] external Keycloak server

Fri Jan 29 08:16:30 EST 2016

Any chance you can share your full realm file?  Perhaps with any secrets 
redacted.  :)

-Eric

On 1/29/2016 4:11 AM, enrico wrote:
> Hi Guy,
> thank you very much, it works!
>
> For anyone with the same problem, this is my realm.json client definition:
>
>      "applications" : [
>          {
>              "name" : "apiman",
>              "enabled" : true,
>              "directGrantsOnly" : true,
>              "standardFlowEnabled": true,
>              "baseUrl" : "http://apigateway:8080/",
>              "redirectUris" : [
>                  "http://apigateway:8080/apimanui/*",
>                  "http://apigateway:8080/apiman-gateway-api/*",
>                  "http://apigateway:8080/apiman-es/*",
>                  "http://apigateway:8080/apiman/*"
>              ],
>              "secret" : "password"
>          }
>      ]
>
> Thanks a lot again.
>
> Cheers,
> Enrico
>
> On Thu, Jan 28, 2016 at 10:02 PM, Guy Davis <guydavis.ca at gmail.com> wrote:
>> Hi Enrico,
>>
>> I just made the move to Apiman 1.2.1 (running on port 8081) and Keycloak
>> 1.7.0 (running on port 8080), both behind an HAProxy instance.  I've
>> attached the section of my standalone-apiman.xml that worked for me.
>>
>> Note, I'm not using the default 'apiman' realm as I am securing a number of
>> other web apps with Keycloak.  So I have 'MyRealm' with Keycloak client of
>> 'apiman', which is set for:
>>
>> Client-protocol: openid-connect
>> Access Type: confidential
>> Direct Access Grants Enabled: ON
>> Valid redirect URIs:
>>
>> /apimanui/*
>> /apiman-gateway-api/*
>> /apiman-es/*
>> /apiman/*
>>
>> In that KC client, I have 3 realm roles for this:
>>
>> apipublisher
>> apiadmin
>> apiuser
>>
>> I had tried to keep these roles to just the KC client 'apiman', but it
>> wouldn't allow me to login to /apimanui unless the roles were realm-wide.
>> I'm going to try client-specific roles again now that apiman is 1.2.1.  I'm
>> using Postgres and ElasticSearch for storage, on other VMs.
>>
>> This was enough to let me login and view /apimanui when I had those roles
>> for my Keycloak user.
>>
>> Hope this helps,
>> Guy
>>
>> On Thu, Jan 28, 2016 at 1:08 AM, enrico <lists at comiti.name> wrote:
>>>
>>> Hi all,
>>> thanks for the responses.
>>>
>>> @Mark: yes, I know that is a release candidate but looks like the
>>> final version is near and, being on a new project, I wanted start with
>>> the very last versions :)
>>>
>>> A part from this, I have tried with 1.7.0.Final too, but I have the
>>> same problem:
>>>
>>> User gets a "Forbidden" page and Keycloak server logs say:
>>>
>>> WARN  [org.keycloak.events]:
>>> type=CODE_TO_TOKEN_ERROR,
>>> realmId=352d562a-f3e5-4b7a-99ad-4331cdfdf085, clientId=apimanui,
>>> userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials,
>>> grant_type=authorization_code
>>>
>>> Thanks a lot for the help, best regards,
>>> Enrico
>>>
>>>
>>> On Wed, Jan 27, 2016 at 5:49 PM, Marc Savy <marc.savy at redhat.com> wrote:
>>>> Hi Enrico,
>>>>
>>>> We haven't tested with Keycloak 1.8, as this is only a candidate release
>>>> at the moment (CR == RC).
>>>>
>>>> I can give it a try, though and will report back.
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>>
>>>
>>>
>>> --
>>> Enrico Comiti
>>> _______________________________________________
>>> Apiman-user mailing list
>>> Apiman-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>