Created question in FIWARE Q/A platform on 19-04-2021 at 11:04
Please, ANSWER this question AT https://stackoverflow.com/questions/67160883/configuring-fiware-pep-proxy-keyrock-and-orion-context-broker

Question:
Configuring Fiware PEP Proxy, Keyrock and Orion Context Broker

Description:
I'm trying to integrate Keyrock and PEP Proxy in order to secure the access to the Context Broker but I'm having some issues.
What I want to achieve is that only determined users registered in Keyrock can access to the Context Broker.
I followed Fiware tutorials but in that development scene there is an application wich listens on port 3000 that is registered in Keyrock. But how can I get the same result without that tutorial application? Can't I secure access to the Context Broker without an application?
If it's possible, it would be nice some help. Here you have relevant part of my docker-compose file:
keyrock:
image: fiware/idm:$

container_name: fiware-keyrock
hostname: keyrock
networks:
default:
ipv4_address: 172.18.1.5
depends_on:

• mysql-db
  ports:
• "$ {KEYROCK_PORT}:${KEYROCK_PORT}

  " # localhost:3005

• "$ {KEYROCK_HTTPS_PORT}:${KEYROCK_HTTPS_PORT}

  " # localhost:3443
  environment:

• "DEBUG=idm:*"
• "IDM_DB_HOST=mysql-db"
• "IDM_DB_PASS_FILE=/run/secrets/my_secret_data"
• "IDM_DB_USER=root"
• "IDM_PORT=$ {KEYROCK_PORT}"
  - "IDM_HOST=http://localhost:${KEYROCK_PORT}

  "

• "IDM_HTTPS_ENABLED=$ {IDM_HTTPS_ENABLED}

  "

• "IDM_HTTPS_PORT=$ {KEYROCK_HTTPS_PORT}

  "

• "IDM_ADMIN_USER=admin"
• "IDM_ADMIN_EMAIL=admin@test.com"
• "IDM_ADMIN_PASS=1234"
  secrets:
• my_secret_data
  healthcheck:
  interval: 5s

1. Database
   mysql-db:
   restart: always
   image: mysql:$ {MYSQL_DB_VERSION}

   hostname: mysql-db
   container_name: db-mysql
   expose:

• "$ {MYSQL_DB_PORT}"
  ports:
  - "${MYSQL_DB_PORT}

  :$

  {MYSQL_DB_PORT}

  "
  networks:
  default:
  ipv4_address: 172.18.1.6
  environment:

• "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data"
• "MYSQL_ROOT_HOST=172.18.1.5" # Allow Keyrock to access this database
  volumes:
• mysql-db:/var/lib/mysql
  secrets:
• my_secret_data

orion-proxy:
image: fiware/pep-proxy
container_name: fiware-orion-proxy
hostname: orion-proxy
networks:
default:
ipv4_address: 172.18.1.10
depends_on:

• keyrock
  ports:
• "1027:1027"
  expose:
• "1027"
  environment:
• PEP_PROXY_APP_HOST=orion
• PEP_PROXY_APP_PORT=1026
• PEP_PROXY_PORT=1027
• PEP_PROXY_IDM_HOST=keyrock
• PEP_PROXY_HTTPS_ENABLED=false
• PEP_PROXY_AUTH_ENABLED=false
• PEP_PROXY_IDM_SSL_ENABLED=false
• PEP_PROXY_IDM_PORT=3005
• PEP_PROXY_APP_ID= <Obtained in Keyrock>
• PEP_PROXY_USERNAME= <Obtained in Keyrock>
• PEP_PASSWORD= <Obtained in Keyrock>
• PEP_PROXY_PDP=idm
• PEP_PROXY_MAGIC_KEY=1234

In order to test it, I registered a test application with URL localhost:1026 (orion context broker URL) with a PEP Proxy (from wich I got PEP_PROXY_APP_ID, PEP_PROXY_USERNAME and PEP_PASSWORD).
When I run the docker containers it works but the problem comes when I try to get an access token using this bash (changing CLIENT_ID and CLIENT_SECRET to those obtained in the OAuth2 field of the application and https://idm/oauth2/token to http://localhost:3005/oauth2/token) with admin credentials.
I get invalid_client: Invalid client: client is invalid error.
If you need to see any more file just ask me.