Dear coachers

We have received the following email from Olifly project:

We have some issues integrating IDM in our application, so we came up with some questions...
We are developing iOS and android apps for Olifly project. We've made one organization (in filab IDM) for each orchard.
We have ORION and PEP proxy Wilma installed on our own server.
We are using different fiware-service for each orchard (same name as organization).

What we want is simple... ask user for credentials and then allow him to only access the data in Orion, which belongs to his orchard/organization.
So for example: we have user "sasoM" which is a member of organization "sasoM_orchard"
Images and other data from "sasoM_orchard" are stored in "orion-sasom_orchard" database.
We have succesfully implemented the part on iOS which redirects the user to account.lab.fiware.org<http://account.lab.fiware.org> for login and then redirects him back with valid token. Using this token we are able to get some user info (username ...) but no information about his organizations. We can't access ORION using this token, even though organization "sasom_orchard" is authorized organization for "ORION application" in filab IDM.
We can use this token to access ORION if we set Wilma to level 1 security - only checking token validity, no roles.
On the other hand, we can succesfully make conatiners and store images in storage GE as an organization, and other members of same organizations can view them.
But with storage GE cloud.lab.fiware.org:4730<http://cloud.lab.fiware.org:4730> is used... what's the difference?
Also... using storage GE to get intial token we access /v2.0/tokens passing username and password directly, which, as far as I understand Oauth2.0, isn't the correct way to use it.
Then with intial token we get info about user's organization from /v2.0/tenants
and with tenantId and (again) username and password we get token to acccess organizations storage.
It works fine, but shouldn't we do this without directly using username and password?
Below is the example code for storage GE access:

conn = httplib.HTTPConnection(HOST_AUTH)

1. retrieve initial token
   headers = {'Content-Type': 'application/json'}

   body = '{"auth": {"passwordCredentials":

   {"username": "'+username+'", "password": "'+password+'"}

   }}'
   conn.request("POST", "/v2.0/tokens", body, headers)
   response = conn.getresponse()
   data = response.read()
   datajson = json.loads(data)
   initialtoken = datajson['access']['token']['id']

logger.info<http://logger.info>('Initial Token is: ' + initialtoken)

1. retrieve tenant
   headers = {'x-auth-token': initialtoken}

   conn.request("GET", "/v2.0/tenants", None, headers)
   response = conn.getresponse()
   data = response.read()
   datajson = json.loads(data)
   tenant = datajson['tenants'][3]['id']
   for tn in datajson['tenants']:
   print tn['name']

logger.info<http://logger.info>('Tenant is: ' + tenant)

1. retrieve authentication json
   headers = {'Content-Type': 'application/json'}

   body = '{"auth": {"tenantId": "'tenant'", "passwordCredentials":

   {"username": "'+username+'", "password": "'+password+'"}

   }}'
   conn.request("POST", "/v2.0/tokens", body, headers)
   response = conn.getresponse()
   data = response.read()

return json.loads(data)

Summary:
· What is the correct protocol to access ORION?
· iOS app redirects to account for login
· user enter username and password and is redirected back to iOS app
· iOS app gets token
· and then?
· How can we (if we can ) restrict user to only have access to his own fiware-service?
· What is the difference between account.lab.fiware.org<http://account.lab.fiware.org> and cloud.lab.fiware.org<http://cloud.lab.fiware.org>
· How to use storage GE without passing username and password directly

Thanks for the support

BR
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.

Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.

Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-fractals-coaching@lists.fiware.org) instead of the old one.
_______________________________________________
Fiware-fractals-coaching mailing list
Fiware-fractals-coaching@lists.fiware.org
https://lists.fiware.org/listinfo/fiware-fractals-coaching
[Created via e-mail received from: "Romero, Javier" <javier.romero@atos.net>]