[SOLVED] Configuring Keyclock 22.0.4 as a key manager in WSO2 APIM

Configuring Keyclock 22.0.4 as a key manager in WSO2 APIM

[2024-03-29 11:11:32,491] ERROR - AccessTokenGenerator Error occurred when generating a new Access token. Server responded with 400
[2024-03-29 11:11:32,646] ERROR - APIUtil Error occurred while executing SubscriberKeyMgtClient.
feign.FeignException$Unauthorized: [401 Unauthorized] during [POST] to [http://0.0.0.0:8080/realms/master/clients-registrations/openid-connect] [DCRClient#createApplication(ClientInfo)]: [{"error":"invalid_token","error_description":"Failed decode token"}]
    at feign.FeignException.clientErrorStatus(FeignException.java:215) ~[io.github.openfeign.feign-core_11.9.1.jar:?]
    at feign.FeignException.errorStatus(FeignException.java:194) ~[io.github.openfeign.feign-core_11.9.1.jar:?]
    at feign.FeignException.errorStatus(FeignException.java:185) ~[io.github.openfeign.feign-core_11.9.1.jar:?]
    at feign.codec.ErrorDecoder$Default.decode(ErrorDecoder.java:92) ~[io.github.openfeign.feign-core_11.9.1.jar:?]
    at feign.AsyncResponseHandler.handleResponse(AsyncResponseHandler.java:98) ~[io.github.openfeign.feign-core_11.9.1.jar:?]
    at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:141) ~[io.github.openfeign.feign-core_11.9.1.jar:?]
    at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:91) ~[io.github.openfeign.feign-core_11.9.1.jar:?]
    at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:100) ~[io.github.openfeign.feign-core_11.9.1.jar:?]
    at jdk.proxy35.$Proxy467.createApplication(Unknown Source) ~[?:?]
    at org.wso2.keycloak.client.KeycloakClient.createApplication(KeycloakClient.java:134) ~[keycloak.key.manager_2.1.0.jar:?]
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:153) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication_aroundBody6(AbstractApplicationRegistrationWorkflowExecutor.java:120) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete_aroundBody2(ApplicationRegistrationSimpleWorkflowExecutor.java:77) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete(ApplicationRegistrationSimpleWorkflowExecutor.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute_aroundBody0(ApplicationRegistrationSimpleWorkflowExecutor.java:54) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute(ApplicationRegistrationSimpleWorkflowExecutor.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration_aroundBody106(APIConsumerImpl.java:2313) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration(APIConsumerImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.76.jar:?]
    at org.wso2.carbon.apimgt.rest.api.store.v1.impl.ApplicationsApiServiceImpl.applicationsApplicationIdGenerateKeysPost(ApplicationsApiServiceImpl.java:788) ~[?:?]

I'm getting above error when configuring keyclock as a Key Manager in WSO2 APIM. I have doubled check the URLS in keymanager also and gone through this blog text also. But not solved. I'm using WSO2 APIM 4.2.0.

Solution

This is due to not correctly configuring the client in Keycloak. I assume you have not added the default scope to the client, which causes this error.

Could you please follow the new docs[1] to configure the client in Keycloak? We recently updated the documentation to be compatible with the new Keycloak version.

[1] https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-keycloak-connector/#step-1-configure-keycloak