keycloak not authenticating, just 401 error

[Pipasaurus-Rex]

Hi,
So I have been installing 17.1-HYVE-6.2 onto a linux 18.04 virtual machine, following the instructions I have managed to get keycloak installed and the WAR running.

Now I can get into http://localhost:8081/open-api/index.html and see a web page that matches the back end example (http://transmart.thehyve.net/) from https://wiki.transmartfoundation.org/display/transmartwiki/tranSMART+17.1+Server+release#tranSMART17.1Serverrelease-RESTAPIV2

But any other pages I try to get to by changing the URL or clicking links that don't lead to external documentation give me a whitelabel 401 error because it wants me to login. (Strangely the example page also does this so maybe I am right?)

There were a few warnings from the WAR mostly about the tomcat serverlet needing a bigger cache, but nothing that stopped it running and I don't think it would cause this issue.

It seems to me that there might just be some final step that I missed integrating the keycloak server but I can't find anything else in the instructions?

[dileep021]

did you find any solution?

[gijskant]

I agree that the documentation is not very informative on the authentication part.
We typically deploy the TranSMART API server with Keycloak for authentication, which uses the OpenID Connect standard for the authentication workflow.
To access the REST API, you need to supply an access token in the Authorization header: Authorization: Bearer <token>.
To obtain a token from Keycloak, you could use:

curl -d 'client_id=transmart-client' -d "username=${USERNAME}" -d "password=${PASSWORD}" -d 'grant_type=password' "https://${KEYCLOAK_SERVER_URL}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" -X POST

This will return a JSON response, e.g.:

{"access_token":"<token>","expires_in":60,"refresh_expires_in":1800,"refresh_token":"...","token_type":"bearer","not-before-policy":1557492420,"session_state":"..."}

The content of the access_token field is the access token you can use in the requests to the REST API. Note that this is a token with a limited lifetime: the token expires typically after a couple of minutes.

To fetch the list of studies from the REST API, you can now use:

curl https://transmart-dev.thehyve.net/v2/studies -H "Authorization: Bearer ${ACCESS_TOKEN}"

To deal with the expiration of tokens, you could obtain an offline token and use it to refresh the access token. This workflow is supported by the Python TranSMART client, see e.g., the example Jupyter notebook for querying.

The Glowing Bear user interface also supports the authentication workflow. The easiest way to set up the TranSMART API server with Glowing Bear is using the Docker compose scripts for Glowing Bear. This also sets up the database and a number of services required by Glowing Bear. There is also an option to set up Keycloak.
The example instance of Glowing Bear is running at https://glowingbear.thehyve.net. This one connects to the https://transmart.thehyve.net API.

Does this information help you further?

[gijskant]

Please note that 17.2.7 is the latest version. Another release (with updated dependencies) is coming soon.