I'm new on apiman, and I'm trying to use some API calls with Jquery. But unfortunately I got this error:
XMLHttpRequest cannot load https://apigtw.url/apiman-gateway///1.0/?apikey=9999999-8888-6666-33333-968a712ce68b. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myapp.local' is therefore not allowed access. The response had HTTP status code 500.
So, I'm using some policies, such as:
Keycloak Authorization Policy:
Require OAuth: true
Require Transport Security: true
Blacklist Unsafe Tokens: false
Realm: https://sso.local/auth/realms/test-realm
Keycloak Realm Certificate: <keycloak key certificate>
Forward Realm Roles? true
Authorization Policy Configuration:
Path: .*
Verb: *
Required Role: my-role
Did I miss something on apiman configuration?
I believe I should add CORs, but I don't know if it is necessary. I tried to use this but the error still occurs.
Please, need help
Does anyone know how to configure APIMan CORs?
Edit:
It seems this is was solved in issue 516, but still occurs with me. I'm using version 1.2.3 of APIMan
Here is the Response Headers:
Connection:close
Content-Type:application/json
Date:Wed, 28 Dec 2016 13:54:08 GMT
Server:Apache/2.4.18 (Ubuntu)
Transfer-Encoding:chunked
X-Gateway-Error:API not public.
X-Powered-By:Undertow/1
and
Here is the Request Headers:
Accept:*/*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:authorization, x-api-key
Access-Control-Request-Method:GET
Connection:keep-alive
Host: apiman.url
Origin:http://192.168.56.22:8080
Referer:http://192.168.56.22:8080/app
User-Agent:Mozilla/5.0 ...
Query String Parameters
view source
view URL encoded
And here is my ajax request:
$.ajax({
url: 'https://apiman.url/apiman-gateway/<org>/<api>/1.0/<method>?apikey=xxxxxx-xxxxx-xxxxx-xxxxx',
headers: {
'Content-Type':'application/json',
'Accept' : 'application/json',
'Authorization' : 'Bearer ' + keycloak.token
},
method: 'GET',
dataType: 'json',
success: function(data){
console.log('header1', data);
}
});
Have you ensured that the CORS policy is before the Keycloak policy in the policy chain? That will ensure CORS is serviced first.
i.e. CORS Policy -> Keycloak Policy -> Authorization Policy
NB: If you're using the CORS policy then you should probably pass your API key as a query parameter because browsers do not pass custom headers during preflight request (that it performs on your behalf).
See: https://stackoverflow.com/a/13997235/2766538