Uploaded image for project: 'Help-Coaches-Desk'
  1. Help-Coaches-Desk
  2. HELC-488

FIWARE.Request.Coach.CreatiFI.WStore authentication with external platform

        Details

        • Type: extRequest
        • Status: Closed
        • Priority: Major
        • Resolution: Done
        • Component/s: CreatiFI
        • Labels:
          None

          Description

          Dear FIWARE coach,
          we forward you a support request received from a CreatiFI applicant we are
          not able to solve.
          Please let us know if you need direct contact with the submitter.
          Thanks.

          *********************************************************

          We are using WStore for handling all store and purchase related aspects of
          our project. We are running WStore using the standard WStore image in
          fiware labs.
          For this, we need to authenticate on the WStore. Users will be created on
          our platform. As a result, what we need is a way to authenticate on WStore
          and linking that authenticated user (WStore-user) to the user on our
          platform (THEO-user). It is not possible for us to use the Keyrock idM GE

          Our initial approach to resolve this was to let WStore use oauth and the
          platforms authentication mechanism. However, after discussing with
          Francisco de la Vega, it would appear this is not implemented in WStore and
          additional extensions are to be made in order to integrate with an external
          identity management system. As we are not skilled python programmers and
          for maintenance reasons, we prefer not to extend WStore with support for
          this unless there is an easy way for this to be done (preferably with a
          working example and a list of the API calls to be provided by the platform).
          We attempted to make our platform mock the fiware Keyrock idM (and mimic
          the API and handlers), setting OILAUTH = True and FIWARE_IDM_ENDPOINT = '
          http://auth.theoplayer.com:3000/login' in the settings.py file.
          This was unsuccessful as opening WStore resulted in the following error:

          WrongBackend at /login/fiware/
          Incorrect authentication service "fiware"
          Request Method: GET
          Request URL: http://130.206.83.32/login/fiware/
          Django Version: 1.4.13
          Exception Type: WrongBackend
          Exception Value:
          Incorrect authentication service "fiware"
          Exception Location:
          /opt/wstore/src/virtenv/lib/python2.7/site-packages/social_auth/decorators.py
          in wrapper, line 28
          Python Executable: /usr/bin/python
          Python Version: 2.7.6
          Python Path:
          ['/opt/wstore/src/virtenv/lib/python2.7/site-packages',
          '/opt/wstore/src',
          '/usr/lib/python2.7',
          '/usr/lib/python2.7/plat-x86_64-linux-gnu',
          '/usr/lib/python2.7/lib-tk',
          '/usr/lib/python2.7/lib-old',
          '/usr/lib/python2.7/lib-dynload',
          '/usr/local/lib/python2.7/dist-packages',
          '/usr/lib/python2.7/dist-packages']

          As a result, our new approach would be to use the WStore embedded
          authentication system. It would be possible to create a WStore-user using
          an API call when creating a THEO-user on our system using a random
          generated password and username. We understand this will require us to
          obtain an access token from an admin account (1). Once this WStore-user has
          been created and the THEO-user indicates he wants to perform a purchase,
          the platform will obtain an access token for the THEO-user's WStore-user
          account (2) and perform REST API calls in order to retrieve or update the
          information from WStore.

          As the WStore embedded authentication system is an oauth system, we were
          hoping to use Resource Owner Password Credentials Grant in order to obtain
          an access token for (1) or (2). However, it would appear this grant type is
          not implemented in WStore. It would appear there is no grant type available
          in WStore in order to retrieve an access token via server2server
          communication alone. As a final solution, we are now looking into injecting
          (or updating) access tokens directly in the WStore database and are looking
          into information on how this can be done. More specifically we are looking
          at the tables and records which should be updated/inserted in order to
          achieve this. Preferably, access tokens would be eternal with extremely
          high expiration times in order to reduce the number of WStore database
          manipulations.

          Would it be possible to provide us with information how we can integrate
          this authentication? The main preference is still to use our own platform
          authentication, but without updating WStore.
          Thanks

          *********************************************************

          _______________________________________________
          Fiware-creatifi-coaching mailing list
          Fiware-creatifi-coaching@lists.fi-ware.org
          https://lists.fi-ware.org/listinfo/fiware-creatifi-coaching

          [Created via e-mail received from: Andrea Maestrini <amaestrini@create-net.org>]

            Issue Links

            relates to

            extRequest - Request from external stakeholder received in the help desk HELP-4525 FIWARE.Request.Tech.Apps.Store.WStore authentication with external platform

            • Major - Major loss of function.
            • Closed

              Activity

              Hide
              Permalink
              fdelavega Francisco de la Vega added a comment -

              This issue is being treated directly with the issuer Pieter-Jan Speelmans. The response to their last question follows:

              Hi Pieter-Jan,

              If you wanted to use only WStore authentication it should be quite easy to implement the approach you proposed.
              As you stated in your previous email, the first step is setting:

              OILAUTH = False

              Then, you have to ensure that the app oauth2provider is installed. This is a django app that is already included with WStore, so to start using it just include the package in INSTALLED_APPS as follows:

              INSTALLED_APPS = (
              ...
              'wstore.oauth2provider',
              )

              The next step is registering your idm as client application, this can be done from the django admin panel, that is accessible thought as browser at /admin/ . Note that you will need to log in with an admin user.

              In this view, you can create an application including a new client id and client secret, a name and some URLs. Note that in you approach that you are going to direcly provide the access token this application is not going to be used as you are not going to follow the OAuth2 process, but it is needed to create one as the token model includes a foreign key to it.

              In the admin view you can also create Tokens for the different users, including the token, the application it refers, the user, the type (bearer) and the expiration time.

              Providing those tokens in the headers your users should be able to access WStore APis.

              If you want to create the tokens for the users automaticaly using an API, you can modify the APi method for creating users to support providing the token or create a new APi for feeding a token for a concrete user.

              If you need some help in this task, do not hesitate to ask.

              Best regards,
              Francisco

              Show
              fdelavega Francisco de la Vega added a comment - This issue is being treated directly with the issuer Pieter-Jan Speelmans. The response to their last question follows: Hi Pieter-Jan, If you wanted to use only WStore authentication it should be quite easy to implement the approach you proposed. As you stated in your previous email, the first step is setting: OILAUTH = False Then, you have to ensure that the app oauth2provider is installed. This is a django app that is already included with WStore, so to start using it just include the package in INSTALLED_APPS as follows: INSTALLED_APPS = ( ... 'wstore.oauth2provider', ) The next step is registering your idm as client application, this can be done from the django admin panel, that is accessible thought as browser at /admin/ . Note that you will need to log in with an admin user. In this view, you can create an application including a new client id and client secret, a name and some URLs. Note that in you approach that you are going to direcly provide the access token this application is not going to be used as you are not going to follow the OAuth2 process, but it is needed to create one as the token model includes a foreign key to it. In the admin view you can also create Tokens for the different users, including the token, the application it refers, the user, the type (bearer) and the expiration time. Providing those tokens in the headers your users should be able to access WStore APis. If you want to create the tokens for the users automaticaly using an API, you can modify the APi method for creating users to support providing the token or create a new APi for feeding a token for a concrete user. If you need some help in this task, do not hesitate to ask. Best regards, Francisco

                People

                • Assignee:
                  silviocretti Silvio Cretti
                  Reporter:
                  fw.ext.user FW External User
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: