Details
-
Type:
extRequest
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
Sender Email:
-
HD-Chapter:Security
-
HD-Enabler:KeyRock
Description
Dear coachers
We have received the following email from Olifly project:
We have some issues integrating IDM in our application, so we came up with some questions...
We are developing iOS and android apps for Olifly project. We've made one organization (in filab IDM) for each orchard.
We have ORION and PEP proxy Wilma installed on our own server.
We are using different fiware-service for each orchard (same name as organization).
What we want is simple... ask user for credentials and then allow him to only access the data in Orion, which belongs to his orchard/organization.
So for example: we have user "sasoM" which is a member of organization "sasoM_orchard"
Images and other data from "sasoM_orchard" are stored in "orion-sasom_orchard" database.
We have succesfully implemented the part on iOS which redirects the user to account.lab.fiware.org<http://account.lab.fiware.org> for login and then redirects him back with valid token. Using this token we are able to get some user info (username ...) but no information about his organizations. We can't access ORION using this token, even though organization "sasom_orchard" is authorized organization for "ORION application" in filab IDM.
We can use this token to access ORION if we set Wilma to level 1 security - only checking token validity, no roles.
On the other hand, we can succesfully make conatiners and store images in storage GE as an organization, and other members of same organizations can view them.
But with storage GE cloud.lab.fiware.org:4730<http://cloud.lab.fiware.org:4730> is used... what's the difference?
Also... using storage GE to get intial token we access /v2.0/tokens passing username and password directly, which, as far as I understand Oauth2.0, isn't the correct way to use it.
Then with intial token we get info about user's organization from /v2.0/tenants
and with tenantId and (again) username and password we get token to acccess organizations storage.
It works fine, but shouldn't we do this without directly using username and password?
Below is the example code for storage GE access:
conn = httplib.HTTPConnection(HOST_AUTH)
- retrieve initial token
headers = {'Content-Type': 'application/json'}body = '{"auth": {"passwordCredentials":
{"username": "'+username+'", "password": "'+password+'"}}}'
conn.request("POST", "/v2.0/tokens", body, headers)
response = conn.getresponse()
data = response.read()
datajson = json.loads(data)
initialtoken = datajson['access']['token']['id']
logger.info<http://logger.info>('Initial Token is: ' + initialtoken)
- retrieve tenant
headers = {'x-auth-token': initialtoken}conn.request("GET", "/v2.0/tenants", None, headers)
response = conn.getresponse()
data = response.read()
datajson = json.loads(data)
tenant = datajson['tenants'][3]['id']
for tn in datajson['tenants']:
print tn['name']
logger.info<http://logger.info>('Tenant is: ' + tenant)
- retrieve authentication json
headers = {'Content-Type': 'application/json'}body = '{"auth": {"tenantId": "'tenant'", "passwordCredentials":
{"username": "'+username+'", "password": "'+password+'"}}}'
conn.request("POST", "/v2.0/tokens", body, headers)
response = conn.getresponse()
data = response.read()
return json.loads(data)
Summary:
· What is the correct protocol to access ORION?
· iOS app redirects to account for login
· user enter username and password and is redirected back to iOS app
· iOS app gets token
· and then?
· How can we (if we can 
) restrict user to only have access to his own fiware-service?
· What is the difference between account.lab.fiware.org<http://account.lab.fiware.org> and cloud.lab.fiware.org<http://cloud.lab.fiware.org>
· How to use storage GE without passing username and password directly
Thanks for the support
BR
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-fractals-coaching@lists.fiware.org) instead of the old one.
_______________________________________________
Fiware-fractals-coaching mailing list
Fiware-fractals-coaching@lists.fiware.org
https://lists.fiware.org/listinfo/fiware-fractals-coaching
[Created via e-mail received from: "Romero, Javier" <javier.romero@atos.net>]
Issue Links
- relates to
-
HELC-1125
FIWARE.Request.Coach.FRACTALS.IDM operation details
-
- Closed
-
Activity
Hi,
I will try to answer the questions related with PEP and IdM:
· iOS app redirects to account for login
· user enter username and password and is redirected back to iOS app
· iOS app gets token
· and then?
With that token you can check the roles the user have inside your application using: https://account.lab.fiware.org/users?acces_token=
· How can we (if we can ) restrict user to only have access to his own fiware-service?
I don't know exactly how do you manage that services in your application. You could create a role for each service and then associate them to users and check in PEP
· What is the difference between account.lab.fiware.org<http://account.lab.fiware.org> and cloud.lab.fiware.org<http://cloud.lab.fiware.org>
· How to use storage GE without passing username and password directly
the first one is the account portal and the second one is the cloud portal. Furthermore in cloud.lab.fiware.org:4730 is running keystone (the backend of the Account Portal). The account portal creates oauth2 tokens and keystone creates kesytone tokens. The storage service works with the second ones. That's the reason you need to create tokens there. You have the posibility of interchange an oauth2 token with a kesytone token using:
POST http://cloud.lab.fiware.org:4730/v3/auth/tokens
body:
"auth": {
"identity": {
"methods": [
"oauth2"
],
"oauth2": {
'access_token_id':
}
}
}
Dear Javier,
Did you pass the comments from Alvaro to the Olifly team?
We are closing the ticket, could you please confirm if you let the Olifly team know?
Thanks,
ilknur
I'm not sure about the Fiware-Service (and Fiware-ServicePath) support in Wilma PEP, which maybe is required in order to provide authorization to context sets structured using them (not sure).
Anyway, given that the question ir related with with PEP+IdM framework more than with the Orion API "itself", I'm re-assigning the issue in charge of PEP+IdM.