API Connect

I am using API Connect 10.0.5. I have third part OAuth provider setup in RedHat SSO KeyCloak (version 22). In API Manager I configured the third party OAuth Provider to point to KeyCloak ( see below screenshot 1 and 2). I also changed the API security schema to use this third party OAuth Provider. 

In screenshot 3, I tried to call the API which protected by third party OAuth provider. I expect API Connect to connect KeyCloak to introspect token and return response to indicate the token is valid. However I always encounter below error. I checked and the request indeed reached to KeyCloak. Just that looks the client_id and client_secret cannot pass to KeyCloak. Based on this IBM doc, I tried different ways to pass in client_id and client_secret but all not working. I have used Postman to get and introspect token from KeyCloak and it works. 

https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=ocac-oauth-introspection-third-party-oauth-providers

Screenshot 1:

Screenshot 2

Screenshot 3:

------------------------------
Guo Jun Qiao
------------------------------

You would need to look to DataPower logs at the time of you making the request to figure out what's the actual error. Alternatively, you can run your request from "Develop" section in API Manager and use Tracing capabilities to see what exactly is going wrong there. DataPower logs are also part of the Trace.

I am using API Connect 10.0.5. I have third part OAuth provider setup in RedHat SSO KeyCloak (version 22). In API Manager I configured the third party OAuth Provider to point to KeyCloak ( see below screenshot 1 and 2). I also changed the API security schema to use this third party OAuth Provider. 

In screenshot 3, I tried to call the API which protected by third party OAuth provider. I expect API Connect to connect KeyCloak to introspect token and return response to indicate the token is valid. However I always encounter below error. I checked and the request indeed reached to KeyCloak. Just that looks the client_id and client_secret cannot pass to KeyCloak. Based on this IBM doc, I tried different ways to pass in client_id and client_secret but all not working. I have used Postman to get and introspect token from KeyCloak and it works. 

https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=ocac-oauth-introspection-third-party-oauth-providers

Screenshot 1:

Screenshot 2

Screenshot 3:

------------------------------
Guo Jun Qiao
------------------------------

Hi Szymon Stupkiewicz, 

Thanks a lot for your reply. I checked with IBM support team and they said APIC does not support to pass client_id and client_secret to Keycloak via request body. As a workaround, IBM support team suggested to put another API URL into introspect URL. Then in that API we can put client_id and client_secret into request body and then send request to KeyCloak introspect endpoint. 

You would need to look to DataPower logs at the time of you making the request to figure out what's the actual error. Alternatively, you can run your request from "Develop" section in API Manager and use Tracing capabilities to see what exactly is going wrong there. DataPower logs are also part of the Trace.

I am using API Connect 10.0.5. I have third part OAuth provider setup in RedHat SSO KeyCloak (version 22). In API Manager I configured the third party OAuth Provider to point to KeyCloak ( see below screenshot 1 and 2). I also changed the API security schema to use this third party OAuth Provider. 

In screenshot 3, I tried to call the API which protected by third party OAuth provider. I expect API Connect to connect KeyCloak to introspect token and return response to indicate the token is valid. However I always encounter below error. I checked and the request indeed reached to KeyCloak. Just that looks the client_id and client_secret cannot pass to KeyCloak. Based on this IBM doc, I tried different ways to pass in client_id and client_secret but all not working. I have used Postman to get and introspect token from KeyCloak and it works. 

https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=ocac-oauth-introspection-third-party-oauth-providers

Screenshot 1:

Screenshot 2

Screenshot 3:

------------------------------
Guo Jun Qiao
------------------------------

That workaround is currently indeed the way to go and easy to setup. 

Hi Szymon Stupkiewicz, 

Thanks a lot for your reply. I checked with IBM support team and they said APIC does not support to pass client_id and client_secret to Keycloak via request body. As a workaround, IBM support team suggested to put another API URL into introspect URL. Then in that API we can put client_id and client_secret into request body and then send request to KeyCloak introspect endpoint. 

You would need to look to DataPower logs at the time of you making the request to figure out what's the actual error. Alternatively, you can run your request from "Develop" section in API Manager and use Tracing capabilities to see what exactly is going wrong there. DataPower logs are also part of the Trace.

I am using API Connect 10.0.5. I have third part OAuth provider setup in RedHat SSO KeyCloak (version 22). In API Manager I configured the third party OAuth Provider to point to KeyCloak ( see below screenshot 1 and 2). I also changed the API security schema to use this third party OAuth Provider. 

In screenshot 3, I tried to call the API which protected by third party OAuth provider. I expect API Connect to connect KeyCloak to introspect token and return response to indicate the token is valid. However I always encounter below error. I checked and the request indeed reached to KeyCloak. Just that looks the client_id and client_secret cannot pass to KeyCloak. Based on this IBM doc, I tried different ways to pass in client_id and client_secret but all not working. I have used Postman to get and introspect token from KeyCloak and it works. 

https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=ocac-oauth-introspection-third-party-oauth-providers

Screenshot 1:

Screenshot 2

Screenshot 3:

------------------------------
Guo Jun Qiao
------------------------------

Hi Jeroen Willems 

Thanks a lot for your reply. 

However I have been struggling with a issue for one month. No matter how I try, the OAuth Provider just cannot call the Introspect Proxy API (see below screenshot). I always encountered one error "Cannot pass the security checks that are required by the target API or operation, Enable debug headers for more details.". 

Because of this issue , customer does not want to proceed with PO. 

That workaround is currently indeed the way to go and easy to setup. 

Hi Szymon Stupkiewicz, 

Thanks a lot for your reply. I checked with IBM support team and they said APIC does not support to pass client_id and client_secret to Keycloak via request body. As a workaround, IBM support team suggested to put another API URL into introspect URL. Then in that API we can put client_id and client_secret into request body and then send request to KeyCloak introspect endpoint. 

You would need to look to DataPower logs at the time of you making the request to figure out what's the actual error. Alternatively, you can run your request from "Develop" section in API Manager and use Tracing capabilities to see what exactly is going wrong there. DataPower logs are also part of the Trace.

I am using API Connect 10.0.5. I have third part OAuth provider setup in RedHat SSO KeyCloak (version 22). In API Manager I configured the third party OAuth Provider to point to KeyCloak ( see below screenshot 1 and 2). I also changed the API security schema to use this third party OAuth Provider. 

In screenshot 3, I tried to call the API which protected by third party OAuth provider. I expect API Connect to connect KeyCloak to introspect token and return response to indicate the token is valid. However I always encounter below error. I checked and the request indeed reached to KeyCloak. Just that looks the client_id and client_secret cannot pass to KeyCloak. Based on this IBM doc, I tried different ways to pass in client_id and client_secret but all not working. I have used Postman to get and introspect token from KeyCloak and it works. 

https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=ocac-oauth-introspection-third-party-oauth-providers

Screenshot 1:

Screenshot 2

Screenshot 3:

------------------------------
Guo Jun Qiao
------------------------------

Can you provide the config of your Third Party Oauth Provider mainly the introspect url you use?
Also what do the Datapower logs show?

Hi Jeroen Willems 

Thanks a lot for your reply. 

However I have been struggling with a issue for one month. No matter how I try, the OAuth Provider just cannot call the Introspect Proxy API (see below screenshot). I always encountered one error "Cannot pass the security checks that are required by the target API or operation, Enable debug headers for more details.". 

Because of this issue , customer does not want to proceed with PO. 

That workaround is currently indeed the way to go and easy to setup. 

Hi Szymon Stupkiewicz, 

Thanks a lot for your reply. I checked with IBM support team and they said APIC does not support to pass client_id and client_secret to Keycloak via request body. As a workaround, IBM support team suggested to put another API URL into introspect URL. Then in that API we can put client_id and client_secret into request body and then send request to KeyCloak introspect endpoint. 

You would need to look to DataPower logs at the time of you making the request to figure out what's the actual error. Alternatively, you can run your request from "Develop" section in API Manager and use Tracing capabilities to see what exactly is going wrong there. DataPower logs are also part of the Trace.

I am using API Connect 10.0.5. I have third part OAuth provider setup in RedHat SSO KeyCloak (version 22). In API Manager I configured the third party OAuth Provider to point to KeyCloak ( see below screenshot 1 and 2). I also changed the API security schema to use this third party OAuth Provider. 

In screenshot 3, I tried to call the API which protected by third party OAuth provider. I expect API Connect to connect KeyCloak to introspect token and return response to indicate the token is valid. However I always encounter below error. I checked and the request indeed reached to KeyCloak. Just that looks the client_id and client_secret cannot pass to KeyCloak. Based on this IBM doc, I tried different ways to pass in client_id and client_secret but all not working. I have used Postman to get and introspect token from KeyCloak and it works. 

https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=ocac-oauth-introspection-third-party-oauth-providers

Screenshot 1:

Screenshot 2

Screenshot 3:

------------------------------
Guo Jun Qiao
------------------------------