Dear Alvaro and FIWARE Lab support team,

We understand that you are facing a lot of pressure lately and we appreciate your continued support efforts.

FIcontent is facing a serious challenge due to changes on the IdM and we really need your help urgently to unblock the situation before our review with Arian Zwegers on Thursday 28th. Everything was working fine until the IdM migration. In this e-mail, we describe 2 different problems and propose several solutions that you can implement to make this work.

Our overall goal:

• Having a browser-side JavaScript application that can authenticate FIWARE Lab users by using the IdM's OAuth2 feature. Then automating OpenStack API calls on behalf of the user inside his personal OpenStack tenant.

Current blocking points:

• We are trying to convert (as the Cloud Portal does) an IdM OAuth2 token to an OpenStack Keystone token.

o What we have:

§ an IdM OAuth2 token retrieved when the user is redirected to 'account.lab.fiware.org' where he logs in and authorizes our application ( https://account.lab.fiware.org/idm/myApplications/1d75df2ec0c1478db98a3c8db3169d63/ ).

o What we DON'T have:

§ The user id

§ The user name, email

§ The user's tenant ID/name

o What we are using:

§ The latest Jstack library by UPM (https://github.com/ging/jstack commit 7338b42)

Technical detail of the steps:

• The rest call to 'https://cloud.lab.fiware.org/keystone/v3/auth/tokens' returns the Keystone token in the http header 'x-subject-token'. The JavaScript code running inside the browser is unable to read this header due to CORS restrictions.

o Solution 1: put the resulting token in a 'X-Auth-Token' header too.

o Solution 2: put the token in the response's JSON body.

o Solution 3: update the CORS policies to allow using the 'Access-Control-Allow-Headers' to authorize the 'Access-Control-Request-Headers' and perhaps some other tweaks.

• We are missing one of the 2 values to properly use the previous API call:

o The user's tenant id:

§ Because a call to the rest endpoint 'https://cloud.lab.fiware.org/keystone/v3/authorized_organizations/wzU_an_idm_token' or to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' returns an empty result

· Solution 1: grant rights to the 'FIC2Lab Runner' (1d75df2ec0c1478db98a3c8db3169d63) on the IdM. This is difficult for us to do because we don't have the necessary authorization or documentation.

o The user's tenant name:

§ Because the call to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' is blocked by CORS policies.

· Solution 2: update the CORS policies

Last 2 tickets:

• https://jira.fi-ware.org:8443/browse/HELP-3055

• https://jira.fi-ware.org:8443/browse/HELP-3061

Thank you very much for your help.

Best regards,

Mario & Geoffroy

_______________________________________________
Fiware-lab-help mailing list
Fiware-lab-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-lab-help

[Created via e-mail received from: LOPEZ RAMOS Mario <mario.lopezramos@thalesgroup.com>]