Apicurio-studio: Error while publishing API

Created on 24 Jun 2019  ·  5Comments  ·  Source: Apicurio/apicurio-studio

ApiCurio (http, port 8080) is running behind Nginx (http, port 80). The F5 (https) forwards request to Nginx. I can successfully link https://github.com, but "_Failed to access External IDP Access Token from Keycloak: 403 - Forbidden_" error while trying to "Publish API".

KeyCloak version: 3.4.3.Final.

Please note, I am getting same error even if I remove F5 and Nginx from the picture and directly deal with ApiCurio.

_Error message:-_
image

Toggle Details :-

io.apicurio.hub.core.exceptions.ServerError: Unexpected server error
at io.apicurio.hub.api.rest.impl.AccountsResource.getOrganizations(AccountsResource.java:241)
at io.apicurio.hub.api.rest.impl.AccountsResource$Proxy$_$$_WeldClientProxy.getOrganizations(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:310)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at io.apicurio.hub.api.security.KeycloakAuthenticationFilter.doFilter(KeycloakAuthenticationFilter.java:72)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.apicurio.hub.api.filters.DisableCachingFilter.doFilter(DisableCachingFilter.java:66)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.apicurio.hub.api.filters.CorsFilter.doFilter(CorsFilter.java:64)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.opentracing.contrib.jaxrs2.server.SpanFinishingFilter.doFilter(SpanFinishingFilter.java:55)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:66)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:745)
Caused by: io.apicurio.hub.api.connectors.SourceConnectorException: java.io.IOException: Unexpected response from Keycloak: 403::Forbidden
at io.apicurio.hub.api.connectors.AbstractSourceConnector.getExternalToken(AbstractSourceConnector.java:102)
at io.apicurio.hub.api.github.GitHubSourceConnector.githubClient(GitHubSourceConnector.java:88)
at io.apicurio.hub.api.github.GitHubSourceConnector.getOrganizations(GitHubSourceConnector.java:313)
at io.apicurio.hub.api.github.GitHubSourceConnector$Proxy$_$$_WeldClientProxy.getOrganizations(Unknown Source)
at io.apicurio.hub.api.rest.impl.AccountsResource.getOrganizations(AccountsResource.java:239)
... 83 more
Caused by: java.io.IOException: Unexpected response from Keycloak: 403::Forbidden
at io.apicurio.hub.api.security.KeycloakLinkedAccountsProvider.getLinkedAccountToken(KeycloakLinkedAccountsProvider.java:187)
at io.apicurio.hub.api.security.KeycloakLinkedAccountsProvider$Proxy$_$$_WeldClientProxy.getLinkedAccountToken(Unknown Source)
at io.apicurio.hub.api.connectors.AbstractSourceConnector.getExternalToken(AbstractSourceConnector.java:94)
... 87 more

The browser log:-
image

Please let me know if you need any additional information.

bug question
Source
picture 0x218

Most helpful comment

For those poor souls ending up here because of the error in keycloak log: Client [apicurio-studio] not authorized to retrieve tokens from identity provider [github].

The read-token role might be missing in two spots:

  1. broker's client default roles: add the read-token broker as default;
  2. existing user: add the role (Users->[user]->Role Mappings). Select client role broker. Assign the read-token role.
picture reitsma on 13 Sep 2019
👍5

All 5 comments

Hm. This error is happening when Apicurio attemps to invoke a Keycloak REST API to retrieve the GitHub access token that Keycloak is managing. This token is needed so that Apicurio can make authenticated calls to GitHub on behalf of the authenticated user.

I do not know offhand why Keycloak is responding with a 403. Are there any stack traces in the Keycloak server log?

EricWittmann picture EricWittmann on 25 Jun 2019

_GitHub OAuth application:-_
image

_GitHub configuration in KeyCloak:-_
image

_Linking my GitHub account:-_
image

_Publishing my API to the linked GitHub:-_
image

_KeyCloak log: -_

2019-06-25 10:17:58,183 WARN [org.keycloak.events] (default task-24) type=IDENTITY_PROVIDER_RETRIEVE_TOKEN_ERROR, realmId=internal, clientId=null, userId=null, ipAddress=10.aaa.bbb.ccc, error=Client [apicurio-studio] not authorized to retrieve tokens from identity provider [github].
2019-06-25 10:17:58,184 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-24) Client [apicurio-studio] not authorized to retrieve tokens from identity provider [github].

0x218 picture 0x218 on 25 Jun 2019

This is likely because the apicurio-studio client (in Keycloak) is missing a required role. I don't have access to the specifics right now (I'm traveling) but from memory there is a broker role of some sort that is required. Oh wait - I can get the setting from a local KC I have installed. Here it is:

image

Check that setting in your KC realm.

EricWittmann picture EricWittmann on 25 Jun 2019
👍1

@EricWittmann thank you so much for responding my query. After adding broker role in my user profile, I am able to publish APIs. Works well with GitHub and GitLab.

0x218 picture 0x218 on 26 Jun 2019

For those poor souls ending up here because of the error in keycloak log: Client [apicurio-studio] not authorized to retrieve tokens from identity provider [github].

The read-token role might be missing in two spots:

  1. broker's client default roles: add the read-token broker as default;
  2. existing user: add the role (Users->[user]->Role Mappings). Select client role broker. Assign the read-token role.
reitsma picture reitsma on 13 Sep 2019
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

indiealexh picture indiealexh  ·  4Comments
daida00 picture daida00  ·  3Comments
cvgaviao picture cvgaviao  ·  6Comments
ceefour picture ceefour  ·  5Comments
yuanhuiliu picture yuanhuiliu  ·  4Comments