Dear,

Thanks for contacting FIWARE support, I’ve forwarded your request to the right support. We will be back to you as soon as possible.

Best,
Daniele

_______________________________________________
Fiware-lab-help mailing list
Fiware-lab-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-lab-help

Dear Daniele and Alvaro,

Has this issue been solved? or is it something you are still working on?

One of the SMEs from the FINISH accelerator has contacted us regarding the same issue, here is their email:

"Hello,
we are trying to implement oauth2 implicit grant from IDM-KeyRock on filab.
We are facing the issue described here https://jira.fiware.org/browse/HELP-3061 with cors settings.
Is this supposed to be solved?

Furthermore, we need to know if implicit grant is supported by the fispace platform (keycloak)

Thank you"

Could you kindly let us know what is the current status regarding this issue?

Many thanks in advance,

ilknur Chulani
(from the FIWARE Coaching Team)

Was solved after severals mails interchange at may. So must be closed.

Dear Joaquin,

Thanks for the update. It seems another SME as mentioned in my original comment also has this issue. Do you have any tips for them?

Kind regards,

ilknur

Some of the comments (was inline answers):

In order to check user information that you want (user id, user name) having an oauth2 token you have to perform the following request:

http:/account.lab.fiware.org/user?access_token=token

as explained here: https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance#get-user-information-and-roles

You can not retrieve info about tenants because the oauth2 token is an unscoped token.

Technical detail of the steps:

• The rest call to 'https://cloud.lab.fiware.org/keystone/v3/auth/tokens' returns the Keystone token in the http header ‘x-subject-token’. The JavaScript code running inside the browser is unable to read this header due to CORS restrictions.
  o Solution 1: put the resulting token in a ‘X-Auth-Token’ header too.
  o Solution 2: put the token in the response’s JSON body.
  o Solution 3: update the CORS policies to allow using the ‘Access-Control-Allow-Headers’ to authorize the ‘Access-Control-Request-Headers’ and perhaps some other tweaks.

"You are allowed to do that in the cloud portal because both the cloud portal and the API are under the domain cloud.lab.fiware.org. If you tried from a version of the portal hosted somewhere else it would fail due to CORS policies, and that is what happens in our case.

• We are missing one of the 2 values to properly use the previous API call:
  o The user’s tenant id:
  § Because a call to the rest endpoint 'https://cloud.lab.fiware.org/keystone/v3/authorized_organizations/wzU_an_idm_token' or to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' returns an empty result
  · Solution 1: grant rights to the ‘FIC2Lab Runner’ (1d75df2ec0c1478db98a3c8db3169d63) on the IdM. This is difficult for us to do because we don’t have the necessary authorization or documentation.
  o The user’s tenant name:
  § Because the call to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' is blocked by CORS policies.
  · Solution 2: update the CORS policies

If you are a Basic user you have not any organization authorised in the cloud portal

If you are a trial or a community user you will have your cloud organization authorised in the cloud portal. In order to authorise other users inside your cloud organization:

1. Access https://account.lab.fiware.org and login
2. Switch to your Cloud organization using the "Switch session" option in the dropdown in the left upper corner.
3. Go to "Members" in the left side pannel.
4. Add the user you want to authorize as a member of the org using the "Manage" button
5. Authorize the user inside Cloud Application giving him the role "Member" using the "Authorize" button