API Manager 3.2.0 and Keycloak - Unclassified Authentication Failure
See original GitHub issueDescription:
Hello, I’m trying to configure API Manager 3.2.0 to use Keycloak. I followed the instructions here, however when I use API Manager to generate an access token and then try to access my API, I get the following error:
$ curl -X GET "https://localhost:8243/petstore/1.0.0/" -H "accept: application/xml" -H "Authorization: Bearer eyJh.." -k
<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900900</ams:code><ams:message>Unclassified Authentication Failure</ams:message><ams:description>Error while accessing backend services for API key validation</ams:description></ams:fault>
In the wso2-apigw-errors.log file, I see this:
TID: [-1234] [] [2020-09-21 00:34:51,355] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Unclassified Authentication Failure org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:438)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:418)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:354)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:325)
at org.apache.synapse.rest.API.process(API.java:373)
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144)
at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Am I missing something? It seems that my API Manager can communicate with Keycloak, as it can create clients and generate access tokens just fine. But I get this error whenever I make a request to my backend API using a JWT that was generated by keycloak. If I use the built-in “Resident Key Manager” to generate a JWT and then use that, everything works just fine. Do I need to import any other Keycloak certificates other than the SSL cert that the instructions say to import? Or does API Manager make a request to Keycloak to validate the incoming JWT?
Steps to reproduce:
1). Follow the Configure Keycloak as a Key Manager instructions here. 2). Create an API and Application, then have that Application subscribe to the API. 3). Under the Production keys > keycloak tab, generate an access token. 4). Make request to the gateway with that access token.
Affected Product Version:
3.2.0
Environment details (with versions):
- OS: CentOS 7
- Client:
- Env (Docker/K8s): Single standalone instance
- Keycloak: 10.0.2
Optional Fields
Related Issues:
Suggested Labels:
Suggested Assignees:
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @CrowleyRajapakse, thanks for your help.
I retrieved the issuer certificate from Keycloak by making the following request:
and then I extract the certificate from the ‘x5c’ field and put it in a ‘keycloak.crt’ file. Then I convert that crt file into a ‘pem’ file and copy the contents into the API Manager:
Then I go to my Application in API Manager, select Production Keys, then Keycloak and generate a JWT:
I still get the following error whenever I make a request to my backend API with that JWT:
However like I said earlier, if I use a JWT generated by the Resident Key Manager, it works.
Hi @molinab297-unisys , I am also facing same issue. can you please let me know if you able resolve above issue