Created question in FIWARE Q/A platform on 17-04-2016 at 11:04
Please, ANSWER this question AT https://stackoverflow.com/questions/36675046/fiware-keyrock-api-bug-membership-of-organisations-not-returned

Question:
Fiware KeyRock API bug: Membership of organisations not returned

Description:
As part of the FINISH accelerator we are using FIWARE KeyRock and Wirecloud. Currently we are using the Fiware labs global instance to investigate.

We want to restrict our system so that users can only view data that belongs to the organisations of which they are a member.

The following flow seems logical, but correct me if i am wrong:

A user logs into Wirecloud and is directed through a KeyRock login screen.
A Wirecloud Widget gets an access token from Wirecloud environment. The access token was created when the user logged in.
The Wirecloud widget looks up the organisations and roles that a user is member of. Based on this it adds organisation names to its query.
The Wirecloud widget queries a webservice (Orion or otherwise) using the query it just created.
We put the Wilma PEP proxy between the Wirecloud Widget and the webservice to validate that the user is a member of the organisations in the query.

PROBLEM:
We can query user information from KeyRock using the https://account.lab.fiware.org/user?access_token=XXXXXXXXXXX call. But that does not contain any information about the organisations that the user is a member of according to the KeyRock web interface. The organisations element is an empty array. We get a bunch of roles in the json response, but none of them is the "members" role that you assign to users from the "Manage your organization members" screen in KeyRock.

Some digging revealed that the Keystone instance running on Fiware labs contains the information (assuming that a Keystone project = KeyRock organisation). However the access token provided by KeyRock is somehow not valid on the Keystone API. The API we used was accessible here: http://cloud.lab.fiware.org:4730/v3/
Getting a new access token from the Keystone API is not what we want, because that would be a different access token than Wirecloud has obtained, which would require some kind of proxy to log in again and retrieve the organisation membership. That rather defeats the point of passing an access token.

This seems to be a bug in the KeyRock API on the fiware labs instance.
Or am i missing something here?
Or will this problem magically go away if we install keyrock on our own server?

Thanks for any help,
Robin