Dear help-desk,
I would like to ask you again to open this issue as it was not solved.
Please see below the information from our SME.
I hope you can help in solving this issue.
Thanks,
Raul

Hi,
in our authentication flow we perform next actions:

(POST "/v2.0/tokens")

Response

(GET "/v2.0/tenants")

Response:

We cannot setup tenant if we are not able to retrieve tenants list
previously.

Our forward action after retrieve tenants would be:

(POST "/v2.0/tokens") with TenantId

From: Help-Desk <jira-help-desk@fi-ware.org>
Reply-To: <jira-help-desk@fi-ware.org>
Date: Thursday 2 July 2015 14:47
To: <ext_user@fi-ware.org>, Raul Palma <rpalma@man.poznan.pl>,
<aalonsog@dit.upm.es>
Cc: <garcianavalon@gmail.com>
Subject: [FI-WARE-JIRA] (HELP-3199) Re: [Fiware-lab-help] FIWare Issue

Hi,

have you tried setting a tenant Id in the request???

BR

Message Title

FW External User </secure/ViewProfile.jspa?name=fw.ext.user>
created an issue

Help-Desk <https://jira.fiware.org/browse/HELP> /
<https://jira.fiware.org/browse/HELP-3199> HELP-3199
<https://jira.fiware.org/browse/HELP-3199>
Re: [Fiware-lab-help] FIWare Issue
<https://jira.fiware.org/browse/HELP-3199>

Issue Type: extRequest
Assignee: Alvaro Alonso </secure/ViewProfile.jspa?name=aalonsog>
Components: FIWARE-LAB-HELP
Created: 03/Jun/15 11:16 PM
Priority: Major
Reporter: FW External User </secure/ViewProfile.jspa?name=fw.ext.user>
Status: Closed

Hi Emilio,
I am forwarding your issue to FIWARE lab team.
@Dear FIWARE lab team, could you provide assistance to Emilio on this
FIWARE
lab issue? He is from one of our SMEs in SmartAgriFoodAccelerator.
Thanks in advance,
Raul From: Emilio Valencia Rodriguez <evalencia@ignos.com>
Date: Wednesday 3 June 2015 16:46
To: Raul Palma <rpalma@man.poznan.pl>
Subject: FIWare Issue Hi Raul, This issue is for Fiware. We are using
cloud.lab.fi-ware.org <http://cloud.lab.fi-ware.org> instance. We don't
know where register this issue. We are executing integration test of the
overall application and we have
detected one issue with the IdentityManagenet GE of Fiware: > - We were
authenticating against the IdM using Fiware id/password but now Idm
> responses "Unathorized". But if we use Fiware user email instead of
Fiware id
> we receive:
>
>>> INFO:main :FIWARE: Autenticando...
>>> INFO:cdmi_service :Authorization host is: cloud.lab.fi-ware.org:4731
>>> <http://cloud.lab.fi-ware.org:4731/>
>>> DEBUG:cdmi_service :Authrization Body:{"auth":
>>> {"passwordCredentials": {"username": "dcastro@ignos.com", "password":
>>> DEBUG:cdmi_service :Authrization token response:{"access": {"token":
>>>

, "serviceCatalog": [], "user":
>>>

, "metadata":

}}
>>> INFO:cdmi_service :Initial Token is: dff5f17ede4b444f9c2e3d6ad9a5af0e
>>> DEBUG:cdmi_service :Available tenants:{"error": {"message": "The
request you
>>> have made requires authentication.", "code": 401, "title":
"Unauthorized"}}
>>
>>
>> The token response does not returns the available service Catalog as it
usual
>> did and returns an empty role list.
>>
>> If we try to get tenants using the provided token we receive an
unauthorized
>> response. Un saludo,
Emilio Valencia Rodriguez.
Ignos Estudio de Ingeniería, S.L.
Tel.: 0034 922 263 001
Fax: 0034 922 263 001
www.ignos.com <http://www.ignos.com>
_______________________________________________
Fiware-lab-help mailing list
Fiware-lab-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-lab-help [Created via e-mail
received from: Raul Palma <rpalma@man.poznan.pl>]

<https://jira.fiware.org/browse/HELP-3199#add-comment> Add
Comment <https://jira.fiware.org/browse/HELP-3199#add-comment>

This email was generated by the FIWARE JIRA <http://jira.fiware.org> .

Hi Raul,

Please try using the v3 authentication and tell me if your problem
persists. For v3 authentication you can find documentation here
http://developer.openstack.org/api-ref-identity-v3.html#tokens-v3. The
process its very similar to the v2, mainly changing tenant for project
and that the token would be returned in the X-Subject-Token header instead
of in the body.

Best regards,
Enrique

Hi again,
I've tried using V3 API but we should know the expected scope or project to
perform authentication.

*Can we retrieve available projects in some way or we should set a
predefined scope or project?*
*In last case, where we could find the correct parameters to authenticate
to cloud.lab.fi-ware.org:4731 <http://cloud.lab.fi-ware.org:4731/> and
apply for Object Storage authorization?*

We tried to get Domain/project list but both requires to be authenticated
previously:

INFO:_main_ :FIWARE: Autenticando...

Trying to connect without project or scope returns:

DEBUG:cdmi_service :Authrization Body:{"auth": {"identity": { "methods" :
["password"], "password":{ "user" :

}}}}
send: 'POST /v3/auth/tokens HTTP/1.1
Host: cloud.lab.fi-ware.org:4731
Accept-Encoding: identity
Content-Length: 130
Content-Type: application/json
*{"auth": {"identity": { "methods" : ["password"], "password":{ "user" :

}}}}'*

reply: 'HTTP/1.1 400 Bad Request'
header: Vary: X-Auth-Token
header: Content-Type: application/json
header: Content-Length: 233
header: Date: Tue, 28 Jul 2015 12:00:22 GMT
header: Connection: close
DEBUG:cdmi_service :Authrization token response:{"error": {"message":
"*Expecting
to find domain in user - the server could not comply with the request since
it is either malformed or otherwise incorrect.* The client is assumed to be
in error.", "code": 400, "title": "Bad Request"}}

Regards,
David Castro

Un saludo,
Emilio Valencia Rodriguez.
Ignos Estudio de Ingeniería, S.L.
Tel.: 0034 922 263 001
Fax: 0034 922 263 001
www.ignos.com

2015-07-28 11:58 GMT+01:00 Enrique Garcia <garcianavalon@gmail.com>:

You are not setting a domain in the authentication request, as the error
says. We use the default domain form Keystone.

Take a look at this
http://docs.openstack.org/developer/keystone/api_curl_examples.html#default-scope
this will give you a domain scoped token, that should be enough for some
API calls.

If you need a project scoped token, use this
http://docs.openstack.org/developer/keystone/api_curl_examples.html#project-scoped

If you need the Id of the project, there are several ways to get it.

• this endpoint for all of your user projects
  http://developer.openstack.org/api-ref-identity-v3.html#listUserProjects
• GET /users/you_user_id will return you a json object that contains your
  default_project_id (automatic project scoping in keystone) and your
  cloud_project_id
• Use the account portal, go to one of your organizations and take the id
  from the url

On a side note, the endpoint GET /projects to list all projects is only
accessible to administrators. If your use case needs to access this
endpoint for a good reason we can discuss giving you access (not my
decision anyway) but if you only need it for scoped authentication purposes
you should use the above endpoints and/or methods.

Best regards,
Enrique

On Tue, 28 Jul 2015 at 14:22 Emilio Valencia Rodriguez <evalencia@ignos.com>

Just to clarify how v3 works, usernames are only unique inside a certain
domain. Therefore, if you want to authenticate using user name and
password, a domain must also be provided. This will give you a domain
scoped token.

You can authenticate 'unscoped' using your user id and password. Or you can
get a project scoped token by providing a project in the request body. It
all depends on what API call do you want to do and its restrictions.

Let me know if you find any more problems.
Best regards,
Enrique