Management API not working on latest docker container

[mark-kumoco]

Hi,

I flipped the "Direct Access Grants Enabled" switch to "on", in the "apiman" client page in the Keycloak console and the Management API is working.

Is that the correct fix?

Mark

[tevosouza]

Hi @mark-kumoco When you activate direct grant on keycloak basically you enable the feature that allows the client to get access token from the server

Take a look into OAuth2 specs here https://tools.ietf.org/html/rfc6749#section-4.4

[mark-kumoco]

So you are saying "yes", that is the correct fix? Or is there a different/better one that would allow me to use the Management API to add configuration to Apiman?

[msavy]

Hmm, I think direct grants should certainly be enabled for most use cases. As I recall, it used to be enabled by default for Apiman quickstarts with Keycloak. Might just need a little update.

[tevosouza]

direct_grant (read as client_credentials) normally are used when an application needs to get data of another application in this case the "owner" of resources does not need to authorize anything (according to oauth framework). This is not recommended when you need to expose services to outside of your network but works (less secure)

Answering your question @mark-kumoco, if it worked it's a fix ;)

[msavy]

Thanks, it's an area I'll have to dig into again when I have time, as there are some subtleties about what works in slightly different setups. IIRC, the main Apiman Manager API can speak directly to Keycloak (via the Wildfly KC adapter) for auth stuff in this scenario, and may have needed direct access grants at the time we originally implemented it.

Hopefully we can find some time to create guides and robust configurations that will work reliably OOTB with different plausible docker and Kubernetes setups (including the one OP proposes). I'd also like to add some smoke tests, just to see that basic things still work reliably when we're cutting new versions, like being able to successfully deploy, login, etc.

At any rate, I think enabling direct access grants is a fine solution for the OP of this thread (as interim solution at least) 👍.

[mark-kumoco]

Ok thanks for your help!

[volkflo]

@msavy I will also look into it because I want to rename the Keycloak Groups for the Devportal and then I will check all settings for the quickstarts again.

[msavy]

Ok, fantastic @volkflo!