Details
-
Type: extRequest
-
Status: Closed
-
Priority: Major
-
Resolution: Done
-
Component/s: CreatiFI
-
Labels:None
Description
Dear FIWARE coach,
we forward you a support request received from a CreatiFI applicant we are
not able to solve.
Please let us know if you need direct contact with the submitter.
Thanks.
*********************************************************
We are using WStore for handling all store and purchase related aspects of
our project. We are running WStore using the standard WStore image in
fiware labs.
For this, we need to authenticate on the WStore. Users will be created on
our platform. As a result, what we need is a way to authenticate on WStore
and linking that authenticated user (WStore-user) to the user on our
platform (THEO-user). It is not possible for us to use the Keyrock idM GE
Our initial approach to resolve this was to let WStore use oauth and the
platforms authentication mechanism. However, after discussing with
Francisco de la Vega, it would appear this is not implemented in WStore and
additional extensions are to be made in order to integrate with an external
identity management system. As we are not skilled python programmers and
for maintenance reasons, we prefer not to extend WStore with support for
this unless there is an easy way for this to be done (preferably with a
working example and a list of the API calls to be provided by the platform).
We attempted to make our platform mock the fiware Keyrock idM (and mimic
the API and handlers), setting OILAUTH = True and FIWARE_IDM_ENDPOINT = '
http://auth.theoplayer.com:3000/login' in the settings.py file.
This was unsuccessful as opening WStore resulted in the following error:
WrongBackend at /login/fiware/
Incorrect authentication service "fiware"
Request Method: GET
Request URL: http://130.206.83.32/login/fiware/
Django Version: 1.4.13
Exception Type: WrongBackend
Exception Value:
Incorrect authentication service "fiware"
Exception Location:
/opt/wstore/src/virtenv/lib/python2.7/site-packages/social_auth/decorators.py
in wrapper, line 28
Python Executable: /usr/bin/python
Python Version: 2.7.6
Python Path:
['/opt/wstore/src/virtenv/lib/python2.7/site-packages',
'/opt/wstore/src',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages']
As a result, our new approach would be to use the WStore embedded
authentication system. It would be possible to create a WStore-user using
an API call when creating a THEO-user on our system using a random
generated password and username. We understand this will require us to
obtain an access token from an admin account (1). Once this WStore-user has
been created and the THEO-user indicates he wants to perform a purchase,
the platform will obtain an access token for the THEO-user's WStore-user
account (2) and perform REST API calls in order to retrieve or update the
information from WStore.
As the WStore embedded authentication system is an oauth system, we were
hoping to use Resource Owner Password Credentials Grant in order to obtain
an access token for (1) or (2). However, it would appear this grant type is
not implemented in WStore. It would appear there is no grant type available
in WStore in order to retrieve an access token via server2server
communication alone. As a final solution, we are now looking into injecting
(or updating) access tokens directly in the WStore database and are looking
into information on how this can be done. More specifically we are looking
at the tables and records which should be updated/inserted in order to
achieve this. Preferably, access tokens would be eternal with extremely
high expiration times in order to reduce the number of WStore database
manipulations.
Would it be possible to provide us with information how we can integrate
this authentication? The main preference is still to use our own platform
authentication, but without updating WStore.
Thanks
*********************************************************
_______________________________________________
Fiware-creatifi-coaching mailing list
Fiware-creatifi-coaching@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-creatifi-coaching
[Created via e-mail received from: Andrea Maestrini <amaestrini@create-net.org>]
Issue Links
- relates to
-
HELP-4525 FIWARE.Request.Tech.Apps.Store.WStore authentication with external platform
- Closed
Activity
- All
- Comments
- History
- Activity
- Transitions
This issue is being treated directly with the issuer Pieter-Jan Speelmans. The response to their last question follows:
Hi Pieter-Jan,
If you wanted to use only WStore authentication it should be quite easy to implement the approach you proposed.
As you stated in your previous email, the first step is setting:
OILAUTH = False
Then, you have to ensure that the app oauth2provider is installed. This is a django app that is already included with WStore, so to start using it just include the package in INSTALLED_APPS as follows:
INSTALLED_APPS = (
...
'wstore.oauth2provider',
)
The next step is registering your idm as client application, this can be done from the django admin panel, that is accessible thought as browser at /admin/ . Note that you will need to log in with an admin user.
In this view, you can create an application including a new client id and client secret, a name and some URLs. Note that in you approach that you are going to direcly provide the access token this application is not going to be used as you are not going to follow the OAuth2 process, but it is needed to create one as the token model includes a foreign key to it.
In the admin view you can also create Tokens for the different users, including the token, the application it refers, the user, the type (bearer) and the expiration time.
Providing those tokens in the headers your users should be able to access WStore APis.
If you want to create the tokens for the users automaticaly using an API, you can modify the APi method for creating users to support providing the token or create a new APi for feeding a token for a concrete user.
If you need some help in this task, do not hesitate to ask.
Best regards,
Francisco