Running Apiman Manager behind reverse proxy with external keycloak

[esbakker]

Hi,

I'm having some issues with running the apiman manager behind a reverse proxy. I'm using the docker.io/apiman/wildfly-manager:2.2.3.Final image, and deploying that in OpenShift. I created a route with tls.
I updated that standalone-apiman.xml to enable proxy-address-forwarding for the http-listener.
I can navigate to the https endpoint and I am being redirected to keycloak, where I can login (so at this point the redirect_uri is valid https).
But when I'm logged in it only shows Forbidden. In the logs I see the following message:

10:38:03,724 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token
10:38:03,724 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) status from server: 400
10:38:03,724 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) {"error":"invalid_grant","error_description":"Incorrect redirect_uri"}

And in the keycloak logs:

2023-12-07 10:45:39,446 WARN [org.keycloak.events] (executor-thread-3) type=CODE_TO_TOKEN_ERROR, realmId=apiman, clientId=apimanui, userId=, ipAddress=, error=invalid_code, grant_type=authorization_code, code_id=8, client_auth_method=client-secret

It's working fine when using http instead of https. And we're running a lot more applications on OpenShift that don't have any issues (running spring boot/tomcat or nginx). So I'm assuming it's a wildfly or apiman.

Is there some setting that I'm missing?

[jahiru22ec]

What version of keycloak are you using?

[esbakker]

The latest (keycloak 23.0.1).

Although I have the feeling it might be an issue with wildfly or the wildfly keycloak adapter, since that's the one that requests the code with the incorrect url?

[jahiru22ec]

That's right, I've tested wildfly apiman with Keycloak 23.0.0+ and it has the same drawback, possibly due to a removal of the wildfly adapter clients in Keycloak 23+.

I haven't had much time to dig deeper, but what worked for me was enabling a Keycloak version 22.0.0.5 specifically for apiman.

If you have a single authentication domain and you need to maintain the latest version of Keycloak and you also have to run apiman, you can use a reverse proxy for the Keycloak authentication server that has both versions running through the same domain and using a path, for example /v1/ to direct you to the specific version of Keycloak that works well with Apiman.

[esbakker]

Thanks for looking in to it. Unfortunately downgrading or running a separate Keycloak is not really an option for us. Should I file a bug to make this work with newer Keycloak? Or are there other options to make it work? I also saw a tomcat-manager docker image, but couldn't find any documentation about running/configuring that.

[kirby0025]

Hi,
Just passing by to say that I had the same issue that @esbakker and downgrading keycloak in 22.0.5 resolved the issue.
Which is not ideal since it block upgrades of keycloak, but it's juste a PoC for now so I guess I can live with that.