Closed girishmanwani closed 5 years ago
brasseld
commented
6 years ago Hi @girishmanwani
What are you trying to do ? 1) Plug the portal to Keycloak to authenticate users 2) Use Keycloak to secure requests to API
When you say after configuration as per documentation, what documentation do you mean ?
girishmanwani
commented
6 years ago Hi @brasseld - I have a REST-endpoint secured using OAuth - Keycloak.This is tested and works fine without API gateway.
With Gateway: I have configured this endpoint with Gravitee acting as a gateway and providing API access through the url http://localhost:8082/myapiname
Testing with token using REST Client like Rester or POSTMan : I am passing the keycloak token to the gravitee gateway URL(http://localhost:8082/myapiname) but this test show me "401 Unauthorized".
I have configured the API to use keycloak with gravitee using the following link https://docs.gravitee.io/apim_publisherguide_plans_subscriptions.html
I have a Resource and policy(drag n drop - OAuth)
Appreciate quick response
Regards Girish
brasseld
commented
6 years ago Do you create an API plan ?
Can you provide us with your API export in json format ?
girishmanwani
commented
6 years ago pl. find attached product-app-1.zip
Rgds Girish
brasseld
commented
6 years ago According to the configuration you've provided, you're trying to invoke an endpoint which does not exist, or is not used for token introspection.
{
"name": "OAuth2 Products Resource",
"type": "oauth2",
"enabled": true,
"configuration": {
"authorizationServerUrl": "http://localhost:8080/auth",
"introspectionEndpoint": "http://localhost:8080/auth/realms/SpringBoot/protocol/openid-connect/token",
"introspectionEndpointMethod": "POST",
"scopeSeparator": " ",
"userInfoEndpoint": "",
"userInfoEndpointMethod": "GET",
"useClientAuthorizationHeader": false,
"clientAuthorizationHeaderName": "",
"clientAuthorizationHeaderScheme": "",
"tokenIsSuppliedByQueryParam": true,
"tokenQueryParamName": "token",
"tokenIsSuppliedByHttpHeader": false,
"tokenIsSuppliedByFormUrlEncoded": false,
"tokenFormUrlEncodedName": "",
"clientId": "product-app",
"clientSecret": "a2aea714-90fd-48b3-b74f-ffc1740c617b",
"tokenHeaderName": ""
}
}I would suggest you to install the Keycloak Resource plugin to make it easier the integration between gravitee and keycloak:
girishmanwani
commented
6 years ago Hi @brasseld I have updated the introspection end-point (atch. plan). and also installed the mentioned plugin. I still get Response 401 Unauthorized for the url accessed via gateway - http://localhost:8082/productsapi I have tested it with both curl and REST Client.
The token that I obtain via keycloak works fine with the same springboot application deployed on tomcat(not on gateway) - http://localhost:8081/products
But when I configure the application(https://docs.gravitee.io/apim_publisherguide_plans_subscriptions.html#oauth_2_0_plan) to use Generic OAuth 2.0 Authorization Server Resource and access it via gateway @ http://localhost:8082/productsapi It fails with error - 401- Unauthorized
I am using the following curl commands for testing
curl -v --data "client_secret=a2aea714-90fd-48b3-b74f-ffc1740c617b&client_id=product-app&username=MYUSERNAME&password=MYPASSWORD&grant_type=password&token=MYTOKEN" http://localhost:8082/productsapi
OR
tried this - fails - 401- Unauthorized curl -v -H "Authorization: Bearer MYTOKEN" http://localhost:8082/productsapi
For keycloak - I have tried with both - "Public" and "Confidential" access types - the issue is unchanged.
Regards Girish
brasseld
commented
5 years ago Is this issue stil valid?
girishmanwani
commented
5 years ago You may close it.
Rgds Girish
On Fri, 22 Mar 2019, 3:50 am Brassely David, notifications@github.com wrote:
Is this issue stil valid?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gravitee-io/issues/issues/1432#issuecomment-475425051, or mute the thread https://github.com/notifications/unsubscribe-auth/ABK_W4SlQm3MdZlsH8sl6tGd09M8ii-vks5vZAWygaJpZM4WED8P .
Olnyov
commented
1 year ago According to the configuration you've provided, you're trying to invoke an endpoint which does not exist, or is not used for token introspection.
{ "name": "OAuth2 Products Resource", "type": "oauth2", "enabled": true, "configuration": { "authorizationServerUrl": "http://localhost:8080/auth", "introspectionEndpoint": "http://localhost:8080/auth/realms/SpringBoot/protocol/openid-connect/token", "introspectionEndpointMethod": "POST", "scopeSeparator": " ", "userInfoEndpoint": "", "userInfoEndpointMethod": "GET", "useClientAuthorizationHeader": false, "clientAuthorizationHeaderName": "", "clientAuthorizationHeaderScheme": "", "tokenIsSuppliedByQueryParam": true, "tokenQueryParamName": "token", "tokenIsSuppliedByHttpHeader": false, "tokenIsSuppliedByFormUrlEncoded": false, "tokenFormUrlEncodedName": "", "clientId": "product-app", "clientSecret": "a2aea714-90fd-48b3-b74f-ffc1740c617b", "tokenHeaderName": "" } }I would suggest you to install the Keycloak Resource plugin to make it easier the integration between gravitee and keycloak:
@brasseld , i didn't find instructions how to install the Keycloak Resource plugin. Can you help me? I use docker-compose.
Without Gateway : I have tested an api that works well with tokens provided from keycloak.
With Gravitee:
If I put this API behind Gravitee and access it with tokens - after configuration as per documentation - I am getting an error - "401 Unauthorized"
For configuration - I have the following Authorization server URL :: http://localhost:8080/auth Token intraspection endpoint :: http://localhost:8080/auth/realms/SpringBoot/protocol/openid-connect/token
In Policies - I have dragged and dropped the OAuth with the relevant "resource" specified.
Is there anything else that needs to be configured.