Uploaded image for project: 'Help-Desk'
  1. Help-Desk
  2. HELP-22987

[fiware-stackoverflow] Expected behaviour of the "Authorization Service Header" permission option

        Details

          Description

          Created question in FIWARE Q/A platform on 13-02-2024 at 13:02
          Please, ANSWER this question AT https://stackoverflow.com/questions/77988058/expected-behaviour-of-the-authorization-service-header-permission-option

          Question:
          Expected behaviour of the "Authorization Service Header" permission option

          Description:
          We're trying to get the PEP Proxy to check the permissions in the IDM and take the Fiware-Service / NGSILD-Tenant header into account.
          The Wilma PEP Proxy allows us to set the PEP_PROXY_TENANT_HEADER env, which in turn sets the config.authorization.header config var. This together with Keyrock's permissions, which allows us to set the service header value (added through #157, if I'm correct):
          (for screenshot, see github issue below)
          But, unfortunately, it's not working.
          When trying to fetch entities through the PEP Proxy, with an Oauth2 access token which has the above-mentioned permission, the access is denied: User access-token not authorized.
          If we uncheck the "Use Authorization Service Header" value in the permission, it does work.
          Now I've been digging through the code of both the IDM and the PEP Proxy to see what's happening under the hood. So far, I've followed it too:

          The proxy getting the configured header value from the request
          The proxy adding the &authorization_service_header query parameter with the above fetched value to the request, which goes to the IDM
          The IDM fetching the authorization_service_header query parameter and passing it into the authenticate methods
          The IDM checking the user permission, and when the permission has the use_authorization_service_header enabled, checking the authorization_service_header value against the options.service_header

          I've been using v7.9.2 of both GE's. And, I've tried using the latest v8.4.0 versions of both, which also had interesting results. Instead of the request being denied when the permission has the "Use Authorization Service Header" enabled, it ignores it entirely, and allows any value to be passed. Making it possible to fetch entities from any tenant, regardless of the permissions configured value.
          Hoping anyone has some idea of what might be the issue. And, whether the above-mentioned functionality is actually supported, as I haven't found any references in the documentation.
          Thanks in advance!
          Rob
          GitHub issue:
          https://github.com/ging/fiware-idm/issues/352

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                newbacklogmanager Backlog Manager
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: