Open pavanelthepumisc opened 3 years ago
Hi @pavanelthepumisc
Which version of Keycloak are you using?
Hi @aelamrani,
It's 11.0.2
Any error in gateway logs after a call?
No errors in logs @aelamrani
So, just had a try and everything is working on my side. Can you share the configuration of the Gravitee resource?
Ok try something like this one instead:
Here is my configuration @aelamrani
Cool and works now?
Here is the full auth server URL in my example: http://localhost:8080/auth/realms/master/protocol/openid-connect
No, it's not working @aelamrani . Getting following error:
Here is my API export @aelamrani
{ "name": "OAuthTest", "version": "1.0.0", "description": "OAuthTest", "visibility": "PRIVATE", "paths": { "/": [] }, "gravitee": "1.0.0", "resources": [ { "name": "OAuthKeycloak", "type": "oauth2", "enabled": true, "configuration": { "authorizationServerUrl": "https://auth-dev.custompro.com/auth/realms/APIGateway/protocol/openid-connect", "introspectionEndpoint": "/token/introspect", "introspectionEndpointMethod": "POST", "scopeSeparator": " ", "userInfoEndpoint": "/userinfo", "userInfoEndpointMethod": "GET", "useClientAuthorizationHeader": true, "clientAuthorizationHeaderName": "Authorization", "clientAuthorizationHeaderScheme": "Basic", "tokenIsSuppliedByQueryParam": false, "tokenQueryParamName": "token", "tokenIsSuppliedByHttpHeader": true, "tokenIsSuppliedByFormUrlEncoded": true, "tokenFormUrlEncodedName": "token", "userClaim": "sub", "clientId": "HILTGLOBAL", "clientSecret": "*****************************", "tokenHeaderName": "Authorization" } } ], "properties": [], "members": [ { "source": "custom-keycloak", "sourceId": "4e028174-6441-4c96-8560-cf5ba76eeb0b", "roles": [ "25270bf3-6426-446a-a70b-f36426c46a0c" ] } ], "pages": [ { "id": "424bc826-90fd-46bb-8bc8-2690fd36bb30", "name": "Aside", "type": "SYSTEM_FOLDER", "order": 0, "published": true, "lastModificationDate": 1606973717424, "contentType": "application/json", "configuration": {}, "homepage": false, "parentPath": "", "metadata": {}, "api": "dfc03a3c-6d02-470c-803a-3c6d02d70c71", "excluded_groups": [], "attached_media": [] } ], "plans": [ { "id": "a4a84037-c85e-4d12-a840-37c85ead128d", "name": "Premium", "description": "Premium", "validation": "MANUAL", "security": "OAUTH2", "securityDefinition": "{\"extractPayload\":false,\"checkRequiredScopes\":false,\"modeStrict\":true,\"propagateAuthHeader\":true,\"requiredScopes\":[],\"oauthResource\":\"OAuthKeycloak\"}", "type": "API", "status": "PUBLISHED", "api": "dfc03a3c-6d02-470c-803a-3c6d02d70c71", "order": 1, "characteristics": [], "tags": [], "created_at": 1606974083964, "updated_at": 1606974087082, "published_at": 1606974087082, "paths": { "/": [] }, "flows": [], "excluded_groups": [], "comment_required": false } ], "metadata": [ { "key": "email-support", "name": "email-support", "format": "MAIL", "value": "${(api.primaryOwner.email)!''}", "defaultValue": "support@change.me", "apiId": "dfc03a3c-6d02-470c-803a-3c6d02d70c71" } ], "id": "dfc03a3c-6d02-470c-803a-3c6d02d70c71", "path_mappings": [], "proxy": { "virtual_hosts": [ { "path": "/oauth-test" } ], "strip_context_path": false, "preserve_host": false, "groups": [ { "name": "default-group", "endpoints": [ { "name": "default", "target": "http://dummy.restapiexample.com/api/v1", "weight": 1, "backup": false, "type": "HTTP", "inherit": true } ], "load_balancing": { "type": "ROUND_ROBIN" }, "http": { "connectTimeout": 5000, "idleTimeout": 60000, "keepAlive": true, "readTimeout": 10000, "pipelining": false, "maxConcurrentConnections": 100, "useCompression": true, "followRedirects": false } } ] }, "response_templates": {} }
Ok, can you check that your introspect call return well the client_id
defined on the Gravitee.io application used to subscribe?
Yes @aelamrani
Here is the response from my introspect URL with the access token, client_id and client_secret:
{ "exp": 1606982582, "iat": 1606982282, "jti": "47246931-68d9-4a51-ae5c-89d57c7f2bc6", "iss": "https://auth-dev.custompro.com/auth/realms/APIGateway", "aud": "account", "sub": "76e8f020-a9d8-48b1-917b-9a1a9a3fe0e8", "typ": "Bearer", "azp": "HILTGLOBAL", "session_state": "3e7b98a8-ca2e-44be-bf0b-029af2fb7335", "preferred_username": "service-account-hiltglobal", "email_verified": false, "acr": "1", "allowed-origins": [ "http://localhost:8001" ], "realm_access": { "roles": [ "offline_access", "uma_authorization" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "profile email", "clientHost": "157.48.213.199", "clientId": "HILTGLOBAL", "clientAddress": "157.48.213.199", "client_id": "HILTGLOBAL", "username": "service-account-hiltglobal", "active": true }
Are you calling the same endpoint to get the token and for the introspection?
Yes @aelamrani
I have the same issue so I am moving to JWT plan it is a best suited way for me. However I am following this issue if you need more information I can help you (Appears with G.io 3.7.0)
@aelamrani can you help with this issue, please?
FYI @brasseld
@pavanelthepumisc the error message is about nginx, don't seem to be related to gravitee.
But I'm getting this error only with OAuth2 plan @brasseld. The same API is working with API Key plan. Please help.
Could it be a response from your backend ?
Nope. I'm expecting Unautorized in the first place as I passed wrong token. Even if I pass correct token, same error. https://dummy.restapiexample.com/api/v1/employees This is my backend @brasseld
So why do we have this nginx response ? Can you describe a bit your architecture ?
It's pretty simple @brasseld . For testing OAuth2 plan, I followed the following steps:
Here is my Generic OAuth2 Authorization Server configuration:
I'm getting this error when I send the Bearer Token. If I don't send any token, I'm getting a 401-Unauthorised error. @brasseld
same here
I've my Gravitee up and running with keycloak login. I've created an API with a plan of OAuth2 authentication and subscribed to it. When I'm trying to access the API from post man I'm getting following error:
Expected Behavior
As my token is valid, I should get response from my API
Current Behavior
Getting error
Steps to Reproduce (for bugs)
Created API Added a Resource with Generic OAuth2 Authorization Server type Added a plan with the OAuth Resource created in step 2 Subscribed to it Got my access token by hitting my keycloak server from postman Accessing API with the access token received in step 5
Your Environment