Gateway authentication problem: version 3 (all user/password are accepted)

[RG1875]

Hello,

I work in an API service, web service finally API management.
In my start-up, we want to set up an API management solution and preferably Open Source.
We have knowledge in API management.
We looked at the solutions available on the market and we were interested in APIMAN.
Therefore, we made a POC (Proof of Concept) by installing version 2.
Then as version 3.1.2.Final was released, we decided to test it and deploy it. We took vert.x gateways.
But we encounter a problem on the gateway side with the authentication part on this version 3 that we did not encounter with version 2.
In a few words, what we found is that we are trying the gateway; it accepts all logins/passwords. It does not take into account the login/password configured in the Keycloack: this is not really acceptable on the security side.

Below are some screenshots of our configuration:

To clarify things, we are using version 20 of Keycloack with version 3 on the APIMAN side.
Thanks for your help.

[msavy]

The only thing I can think of is that someone tuned off the gateway authentication in your Vert.x Gateway's JSON configuration.

[RG1875]

Hello Marc, Thank you for your response.
Below our config:

"auth": {
"type": "keycloak",
"config": {
"flowType": "PASSWORD",
"requiredRole": "realm:apipublisher",
"realm": "apiman",
"realm-public-key": "${KEYCLOAK_PUBLIC_KEY}",
"auth-server-url": "${KEYCLOAK_AUTH_URL}",
"ssl-required": "none",
"resource": "apiman-gateway-api",
"credentials": {
"secret": "${KEYCLOAK_GW_SECRET}"
}
}
},

[msavy]

It is a bug in the upstream version where a status check was allowed without auth but the UI is relying on it - I've fixed it for downstream customers.

You can safely continue using it, it is not a security issue. If you use the wrong password, your gateway will not actually be able to publish anything.

It will be fixed upstream in the next major version of Apiman when I am able to release it.

[volkflo]

Hi together,
just read the discussion.
@msavy I think this is probably caused by this commit. There was a change on the gateway endpoints to allow public health checks.
See: a83fad9

If you e.g. try to publish an API with wrong credentials it will fail because the auth still works.

[msavy]

Ah yes, I forgot about that. I've fixed it for supported customers. I'll roll the fix into the next version if/when I can do it (likely Apiman 4).