Hi Mario,

answers inline.

Hope this helps

BR
–
Álvaro

In order to create an openstack token from an oauth token you have to perform the following request:

POST http:/cloud.lab.fiware.org:4730/v3/auth/tokens
body:

"auth": {
"identity": {
"methods": [
"oauth2"
],
"oauth2":

}
}

In order to check user information that you want (user id, user name) having an oauth2 token you have to perform the following request:

http:/account.lab.fiware.org/user?access_token=token

as explained here: https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance#get-user-information-and-roles <https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance#get-user-information-and-roles>

You can not retrieve info about tenants because the oauth2 token is an unscoped token.

This is a behaviour imposed by openstack keystone, so we cannot change nothing there. Anyway I don’t understand your problem. You should’t have problems extracting the token, in fact I do so in the cloud portal.

If you are a Basic user you have not any organization authorised in the cloud portal

If you are a trial or a community user you will have your cloud organization authorised in the cloud portal. In order to authorise other users inside your cloud organization:

1. Access https://account.lab.fiware.org and login
2. Switch to your Cloud organization using the "Switch session" option in the dropdown in the left upper corner.
3. Go to "Members" in the left side pannel.
4. Add the user you want to authorize as a member of the org using the "Manage" button
5. Authorize the user inside Cloud Application giving him the role "Member" using the "Authorize" button

_______________________________________________
Fiware-lab-help mailing list
Fiware-lab-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-lab-help

Hi Alvaro,

Thank you for your reactivity.

I think I didn't explain correctly what we are trying to build: something equivalent to your cloud portal (but much simpler) for any FIWARE Community user to manage his resources on his own OpenStack tenant.
The main problem we have is that this portal is hosted under a different domain and there are CORS security restrictions. So what works for you in the cloud portal doesn't work for us.

See my remarks inline.

Thank you for your patience. We can talk on the phone if it's simpler.

Best regards,

Mario

De : Álvaro Alonso aalonsog@dit.upm.es
Envoyé : vendredi 22 mai 2015 10:37
À : LOPEZ RAMOS Mario
Cc : fiware-lab-help@lists.fi-ware.org; CHOLLON Geoffroy; Juanjo Hierro; 'Federico Michele Facca' (federico.facca@create-net.org)
Objet : Re: URGENT problem for FIcontent due to changes in the IdM

Hi Mario,

answers inline.

Hope this helps

BR
–
Álvaro

El 22 May 2015, a las 09:56, LOPEZ RAMOS Mario <mario.lopezramos@thalesgroup.com<mario.lopezramos@thalesgroup.com>> escribió:

Dear Alvaro and FIWARE Lab support team,

We understand that you are facing a lot of pressure lately and we appreciate your continued support efforts.

FIcontent is facing a serious challenge due to changes on the IdM and we really need your help urgently to unblock the situation before our review with Arian Zwegers on Thursday 28th. Everything was working fine until the IdM migration. In this e-mail, we describe 2 different problems and propose several solutions that you can implement to make this work.

Our overall goal:

• Having a browser-side JavaScript application that can authenticate FIWARE Lab users by using the IdM's OAuth2 feature. Then automating OpenStack API calls on behalf of the user inside his personal OpenStack tenant.

Current blocking points:

• We are trying to convert (as the Cloud Portal does) an IdM OAuth2 token to an OpenStack Keystone token.
  o What we have:

• an IdM OAuth2 token retrieved when the user is redirected to 'account.lab.fiware.org<http://account.lab.fiware.org/>' where he logs in and authorizes our application ( https://account.lab.fiware.org/idm/myApplications/1d75df2ec0c1478db98a3c8db3169d63/ ).
  o What we DON'T have:
• The user id
• The user name, email
• The user's tenant ID/name
  o What we are using:
• The latest Jstack library by UPM (https://github.com/ging/jstack commit 7338b42)

In order to create an openstack token from an oauth token you have to perform the following request:

POST http:/cloud.lab.fiware.org<http://cloud.lab.fiware.org>:4730/v3/auth/tokens
body:

"auth": {
"identity": {
"methods": [
"oauth2"
],
"oauth2":

}
}

In order to check user information that you want (user id, user name) having an oauth2 token you have to perform the following request:

http:/account.lab.fiware.org/user?access_token=token<http://account.lab.fiware.org/user?access_token=token>

as explained here: https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance#get-user-information-and-roles

You can not retrieve info about tenants because the oauth2 token is an unscoped token.

Technical detail of the steps:

• The rest call to 'https://cloud.lab.fiware.org/keystone/v3/auth/tokens' returns the Keystone token in the http header 'x-subject-token'. The JavaScript code running inside the browser is unable to read this header due to CORS restrictions.
  o Solution 1: put the resulting token in a 'X-Auth-Token' header too.
  o Solution 2: put the token in the response's JSON body.

o Solution 3: update the CORS policies to allow using the 'Access-Control-Allow-Headers' to authorize the 'Access-Control-Request-Headers' and perhaps some other tweaks.

This is a behaviour imposed by openstack keystone, so we cannot change nothing there. Anyway I don't understand your problem. You should't have problems extracting the token, in fact I do so in the cloud portal.

[Mario] You are allowed to do that in the cloud portal because both the cloud portal and the API are under the domain cloud.lab.fiware.org. If you tried from a version of the portal hosted somewhere else it would fail due to CORS policies, and that is what happens in our case. What we are trying to build is something like a simplified cloud portal in a different domain.

• We are missing one of the 2 values to properly use the previous API call:
  o The user's tenant id:

• Because a call to the rest endpoint 'https://cloud.lab.fiware.org/keystone/v3/authorized_organizations/wzU_an_idm_token' or to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' returns an empty result
• Solution 1: grant rights to the 'FIC2Lab Runner' (1d75df2ec0c1478db98a3c8db3169d63) on the IdM. This is difficult for us to do because we don't have the necessary authorization or documentation.
  o The user's tenant name:
• Because the call to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' is blocked by CORS policies.
• Solution 2: update the CORS policies

If you are a Basic user you have not any organization authorised in the cloud portal

If you are a trial or a community user you will have your cloud organization authorised in the cloud portal. In order to authorise other users inside your cloud organization:

1. Access https://account.lab.fiware.org and login
2. Switch to your Cloud organization using the "Switch session" option in the dropdown in the left upper corner.
3. Go to "Members" in the left side pannel.
4. Add the user you want to authorize as a member of the org using the "Manage" button
5. Authorize the user inside Cloud Application giving him the role "Member" using the "Authorize" button

[Mario] Thank you for your answer, but it does not correspond to our problem: our application is like another cloud portal, it performs calls to the OpenStack API on behalf of the user that is logged in within his own tenant, using his own quotas (and assuming he has a Community Account).
We don't want to authorize those users within my (Mario's) Cloud organization, we want our application to use the Cloud organization of the user that is logged in.

Last 2 tickets:

• https://jira.fi-ware.org:8443/browse/HELP-3055
• https://jira.fi-ware.org:8443/browse/HELP-3061

Thank you very much for your help.

Best regards,

Mario & Geoffroy

Dear Alvaro and Joaquin,

Sorry for bothering you again. We (FIcontent) are doing a demo of FIC2Lab to Arian Sweggers tomorrow and we need help with respect to my e-mail below. I have noticed that the corresponding JIRA ticket HELP-3068 (https://jira.fi-ware.org:8443/projects/HELP/issues/HELP-3068) has been marked as closed. However, the answers given by Alvaro do not address our problem.

Could you please look at the 2 issues and the proposed solutions below?

We can talk on the phone this afternoon if it's simpler for you.

Thank you very much.

Best regards,

–
Mario LOPEZ-RAMOS
Thales Communications & Security

e-mail: mario.lopezramos@thalesgroup.com<mario.lopezramos@thalesgroup.com>
Tel: +33 (0)1 46 13 32 10
Fax: +33 (0)1 46 13 26 86
Add: 4, Avenue des Louvresses - 92622 Gennevilliers Cedex - France

De : LOPEZ RAMOS Mario
Envoyé : vendredi 22 mai 2015 11:23
À : 'Álvaro Alonso'
Cc : fiware-lab-help@lists.fi-ware.org; CHOLLON Geoffroy; Juanjo Hierro; 'Federico Michele Facca' (federico.facca@create-net.org)
Objet : RE: URGENT problem for FIcontent due to changes in the IdM

Hi Alvaro,

Thank you for your reactivity.

I think I didn't explain correctly what we are trying to build: something equivalent to your cloud portal (but much simpler) for any FIWARE Community user to manage his resources on his own OpenStack tenant.
The main problem we have is that this portal is hosted under a different domain and there are CORS security restrictions. So what works for you in the cloud portal doesn't work for us.

See my remarks inline.

Thank you for your patience. We can talk on the phone if it's simpler.

Best regards,

Mario

De : Álvaro Alonso aalonsog@dit.upm.es
Envoyé : vendredi 22 mai 2015 10:37
À : LOPEZ RAMOS Mario
Cc : fiware-lab-help@lists.fi-ware.org<fiware-lab-help@lists.fi-ware.org>; CHOLLON Geoffroy; Juanjo Hierro; 'Federico Michele Facca' (federico.facca@create-net.org<federico.facca@create-net.org>)
Objet : Re: URGENT problem for FIcontent due to changes in the IdM

Hi Mario,

answers inline.

Hope this helps

BR
–
Álvaro

El 22 May 2015, a las 09:56, LOPEZ RAMOS Mario <mario.lopezramos@thalesgroup.com<mario.lopezramos@thalesgroup.com>> escribió:

Dear Alvaro and FIWARE Lab support team,

We understand that you are facing a lot of pressure lately and we appreciate your continued support efforts.

FIcontent is facing a serious challenge due to changes on the IdM and we really need your help urgently to unblock the situation before our review with Arian Zwegers on Thursday 28th. Everything was working fine until the IdM migration. In this e-mail, we describe 2 different problems and propose several solutions that you can implement to make this work.

Our overall goal:

• Having a browser-side JavaScript application that can authenticate FIWARE Lab users by using the IdM's OAuth2 feature. Then automating OpenStack API calls on behalf of the user inside his personal OpenStack tenant.

Current blocking points:

• We are trying to convert (as the Cloud Portal does) an IdM OAuth2 token to an OpenStack Keystone token.
  o What we have:

• an IdM OAuth2 token retrieved when the user is redirected to 'account.lab.fiware.org<http://account.lab.fiware.org/>' where he logs in and authorizes our application ( https://account.lab.fiware.org/idm/myApplications/1d75df2ec0c1478db98a3c8db3169d63/ ).
  o What we DON'T have:
• The user id
• The user name, email
• The user's tenant ID/name
  o What we are using:
• The latest Jstack library by UPM (https://github.com/ging/jstack commit 7338b42)

In order to create an openstack token from an oauth token you have to perform the following request:

POST http:/cloud.lab.fiware.org<http://cloud.lab.fiware.org>:4730/v3/auth/tokens
body:

"auth": {
"identity": {
"methods": [
"oauth2"
],
"oauth2":

}
}

In order to check user information that you want (user id, user name) having an oauth2 token you have to perform the following request:

http:/account.lab.fiware.org/user?access_token=token<http://account.lab.fiware.org/user?access_token=token>

as explained here: https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance#get-user-information-and-roles

You can not retrieve info about tenants because the oauth2 token is an unscoped token.

Technical detail of the steps:

• The rest call to 'https://cloud.lab.fiware.org/keystone/v3/auth/tokens' returns the Keystone token in the http header 'x-subject-token'. The JavaScript code running inside the browser is unable to read this header due to CORS restrictions.
  o Solution 1: put the resulting token in a 'X-Auth-Token' header too.
  o Solution 2: put the token in the response's JSON body.

o Solution 3: update the CORS policies to allow using the 'Access-Control-Allow-Headers' to authorize the 'Access-Control-Request-Headers' and perhaps some other tweaks.

This is a behaviour imposed by openstack keystone, so we cannot change nothing there. Anyway I don't understand your problem. You should't have problems extracting the token, in fact I do so in the cloud portal.

[Mario] You are allowed to do that in the cloud portal because both the cloud portal and the API are under the domain cloud.lab.fiware.org. If you tried from a version of the portal hosted somewhere else it would fail due to CORS policies, and that is what happens in our case. What we are trying to build is something like a simplified cloud portal in a different domain.

• We are missing one of the 2 values to properly use the previous API call:
  o The user's tenant id:

• Because a call to the rest endpoint 'https://cloud.lab.fiware.org/keystone/v3/authorized_organizations/wzU_an_idm_token' or to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' returns an empty result
• Solution 1: grant rights to the 'FIC2Lab Runner' (1d75df2ec0c1478db98a3c8db3169d63) on the IdM. This is difficult for us to do because we don't have the necessary authorization or documentation.
  o The user's tenant name:
• Because the call to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' is blocked by CORS policies.
• Solution 2: update the CORS policies

If you are a Basic user you have not any organization authorised in the cloud portal

If you are a trial or a community user you will have your cloud organization authorised in the cloud portal. In order to authorise other users inside your cloud organization:

1. Access https://account.lab.fiware.org and login
2. Switch to your Cloud organization using the "Switch session" option in the dropdown in the left upper corner.
3. Go to "Members" in the left side pannel.
4. Add the user you want to authorize as a member of the org using the "Manage" button
5. Authorize the user inside Cloud Application giving him the role "Member" using the "Authorize" button

[Mario] Thank you for your answer, but it does not correspond to our problem: our application is like another cloud portal, it performs calls to the OpenStack API on behalf of the user that is logged in within his own tenant, using his own quotas (and assuming he has a Community Account).
We don't want to authorize those users within my (Mario's) Cloud organization, we want our application to use the Cloud organization of the user that is logged in.

Last 2 tickets:

• https://jira.fi-ware.org:8443/browse/HELP-3055
• https://jira.fi-ware.org:8443/browse/HELP-3061

Thank you very much for your help.

Best regards,

Mario & Geoffroy

Hi Mario,

I think the problem is that you are sending the request to the Cloud Portal instead of the Keystone API (http:/cloud.lab.fiware.org <http://cloud.lab.fiware.org/>:4730/v3/auth/tokens)

Any way and in order to try to help you I’ve added that header as allowed by CORS.

Hope this helps.

BR
–
Álvaro

_______________________________________________
Fiware-lab-help mailing list
Fiware-lab-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-lab-help

Hello,

We are attending the Vienna Fiware Developers week, so we are not available for a phone call.

But we are reading the mail, so don’t hesitate to contact us again.

Best Regards

Joaquin

_______________________________________________
Fiware-lab-help mailing list
Fiware-lab-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-lab-help