1


My name is Joe and I'm in traineeship about IoT security and Identity Management. In order to develop some solutions to a project I've been assigned, I have to configure and integrate Orion, Wilma and Keyrock (and potentially a PDP, but that comes later). I've found some tutorials and FIWARE official guides, but I'm seriously in trouble with the configuration. I've already learned the "theory" behind: I'm aware of the FIWARE security architecture but the problem is on practice. As a first approach to the problem, I thought that trying to get the token with a token request could be a good way to start, as follows:

curl -X POST --data "grant_type=password&username=user&password=pwd” http://192.168.100.241:5000/oauth2/token --header "'Host':'192.168.100.241','Content-Type':'application/x-www-form-urlencoded','Authorization':'Basic base64(client_id+":"+client_secret)'"

where 192.168.100.241 is the IP address of the host where Keystone runs. The response to this is the following:

{ "error": { "message": "Impossibile trovare la risorsa.", "code": 404, "title": "Not Found" } }

Now, how this problems can be solved? Perhaps I'm missing something or probably I'm unaware of something. And later, how can the PEP Proxy enforce some policies on Orion requests (or receive them directly and later, if allowed, communicate them to Orion)? Could you help me? I'm terribly in trouble.
Thank you :-)

Dalton Cézane
  • 3,672
  • 2
  • 35
  • 60
Giuseppe
  • 17
  • 1
  • 7
  • Possible duplicate of [Fiware - How to integrate Keyrock IdM, Wilma PEP Proxy and Orion Context Broker?](https://stackoverflow.com/questions/40999447/fiware-how-to-integrate-keyrock-idm-wilma-pep-proxy-and-orion-context-broker) – Dalton Cézane Jul 21 '17 at 22:01

1 Answers1

0

You can see how to integrate Orion Context Broker, Keyrock IdM and Wilma PEP Proxy in the following link:

https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma

I already had these doubts like you. I hope it helps.

Include client_id and secret_id in the grant_type :

grant_type=password&username=${_user}&password=${_pass}&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}
Dalton Cézane
  • 3,672
  • 2
  • 35
  • 60
  • This is a link I visited! But there I've problems on 5th point! – Giuseppe Jul 22 '17 at 10:13
  • Point 5 at page 3! I receive always: 404 Not Found. – Giuseppe Jul 24 '17 at 09:53
  • Did you get success on pinging the Keystone IP from where your application is running? – Dalton Cézane Jul 24 '17 at 18:37
  • You are not following the step by step in the right way! The right address to get a token is `http://192.168.100.241:8000/oauth2/token` , if you are with the same ports configured! Use port 8000 instead of 5000. – Dalton Cézane Jul 24 '17 at 18:41
  • Keystone server listens on port 5000, while Horizon listens on port 8000. I should send requests to Keystone, shouldn't I? – Giuseppe Jul 24 '17 at 19:39
  • Please, follow exactly as explained in the tutorial and tell if you still have problem. – Dalton Cézane Jul 24 '17 at 20:23
  • Hi Dalton, I followed the tutorial and I got the authorization code. After, I made a http POST request with the code previously acquired but I obtain: "404, authorization code not found", but the code should be correct. Why I get this error? – Giuseppe Jul 31 '17 at 16:09
  • Please update your question with code you are using for each step. – Dalton Cézane Jul 31 '17 at 17:20
  • You also have to include the client_id and secret_id in the grant type. Did you do this? – Dalton Cézane Jul 31 '17 at 18:10
  • Yes, I include the base64(client_id:secret_id). The code is the following: curl --data "grant_type=authorization_code&code=THE_CODE&redirect_uri=http://localhost/login" http://localhost:8000/oauth2/token -H 'Authorization: Basic CODE_FROM_BASE64_ENCODING' -H 'Content-Type: application/x-www-form-urlencoded'. What I'm missing? – Giuseppe Jul 31 '17 at 19:25
  • If you see the python code in the link I told, you will note that your format is different. As I told, the client_id and secret_id also have to be passed in GRANT_TYPE. Again, please take a look at the tutorial and follow all the steps there. If the problem continues, say exactly what are you doing and the found error. – Dalton Cézane Jul 31 '17 at 19:50
  • I followed the guide and it works! But, why I can't obtain the same result using the authorization code as grant instead of username and password? – Giuseppe Aug 01 '17 at 09:19
  • Maybe Orion does not work in this way. If you are really curious about it, I suggest you to ask another question and @fgalan can answer that. – Dalton Cézane Aug 01 '17 at 15:06
  • I'll do so. There's just another point: I followed the last point too, but I should send requests to PEP Proxy instead of IdM, shouldn't I? I sent requests to PEP Proxy and everything works as expected! – Giuseppe Aug 01 '17 at 16:37
  • Yes. There is an observation about it, telling that I used IdM IP because of the container (PEP os running in the IdM container). – Dalton Cézane Aug 01 '17 at 16:49
  • All right. Thank you very much for the time spent for me and for the great help you gave me. – Giuseppe Aug 01 '17 at 17:28
  • Hi Dalton, excuse me for making another question. I'm editing some policies in order to secure my accesses to Orion (using Authzforce GE) using XACML, but I don't understand the logic behind the attributes. I wanted to deny POST from some users (is there a strategy to group them?). I followed some guides found on the web but it seems too "automatic" to me. Could you help me? – Giuseppe Aug 08 '17 at 16:26
  • For example, I wanted that a generic user A could be ad admin, so that he can make GET/POST requests to Orion in order to change some parameters etc, meanwhile I wanted that a generic user B could make only GET requests, so that he can only "read" and not "write" anything. How could I do that? – Giuseppe Aug 08 '17 at 17:31
  • Unfortunately, I can not help regards AzF. For me, it does not work well. I made some questions here in SOF that have no answers. – Dalton Cézane Aug 08 '17 at 19:47
  • Hi Dalton. I noticed you had the same problem I'm having now with AZF. I'm trying to do some tests, and for every action I perform against the PDP from PEP I receive "AZF domain not created for application...". I followed the hints someone gave you but I gained no benefits. Could you help me? – Giuseppe Aug 30 '17 at 17:01
  • Unfortunately, I gave up using AzF. I remember you have to create the permission first and set the Magic Key, in the Keyrock Horizon configuration, to something different from none or "". The last time I tried to do this, I got no success. – Dalton Cézane Aug 30 '17 at 18:31
  • What permission I should create? Where? – Giuseppe Aug 31 '17 at 08:32
  • I customized all configuration files, both of Horizon and Wilma. There are other action I should perform? – Giuseppe Aug 31 '17 at 08:33
  • You should create the permission at Horizon. AzF, for me, does not work properly. – Dalton Cézane Aug 31 '17 at 19:13
  • What kind of permission? How can I create it? Could you explain me the steps I should follow? – Giuseppe Sep 01 '17 at 22:23
  • In [this link](https://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/Identity_Management_-_KeyRock_-_User_and_Programmers_Guide#Registering_an_application), after Figure 4, there is a description about how to do this. – Dalton Cézane Sep 05 '17 at 14:31
  • So, welcome to the AzF world. =) This is why I am not using it: for me, it does not work... – Dalton Cézane Sep 06 '17 at 19:19
  • 1
    It's so frustrating! I deployed about ten servers for my complete application and the problem still remains for the authorization part! It's a pity, I wanted to make a complete deployment: I tried also to change to the couple Steelskin-Keypass, but I had no result. I hate FIWARE! – Giuseppe Sep 07 '17 at 14:57