Hi Mario,
answers inline.
Hope this helps
BR
--
Álvaro
> El 22 May 2015, a las 09:56, LOPEZ RAMOS Mario <mario.lopezramos at thalesgroup.com> escribió:
>
> Dear Alvaro and FIWARE Lab support team,
>
> We understand that you are facing a lot of pressure lately and we appreciate your continued support efforts.
>
> FIcontent is facing a serious challenge due to changes on the IdM and we really need your help urgently to unblock the situation before our review with Arian Zwegers on Thursday 28th. Everything was working fine until the IdM migration. In this e-mail, we describe 2 different problems and propose several solutions that you can implement to make this work.
>
>
> Our overall goal:
> - Having a browser-side JavaScript application that can authenticate FIWARE Lab users by using the IdM’s OAuth2 feature. Then automating OpenStack API calls on behalf of the user inside his personal OpenStack tenant.
>
>
> Current blocking points:
> - We are trying to convert (as the Cloud Portal does) an IdM OAuth2 token to an OpenStack Keystone token.
> o What we have:
> § an IdM OAuth2 token retrieved when the user is redirected to ‘account.lab.fiware.org <http://account.lab.fiware.org/>’ where he logs in and authorizes our application ( https://account.lab.fiware.org/idm/myApplications/1d75df2ec0c1478db98a3c8db3169d63/ <https://account.lab.fiware.org/idm/myApplications/1d75df2ec0c1478db98a3c8db3169d63/> ).
> o What we DON’T have:
> § The user id
> § The user name, email
> § The user’s tenant ID/name
> o What we are using:
> § The latest Jstack library by UPM (https://github.com/ging/jstack <https://github.com/ging/jstack> commit 7338b42)
In order to create an openstack token from an oauth token you have to perform the following request:
POST http:/cloud.lab.fiware.org:4730/v3/auth/tokens
body:
"auth": {
"identity": {
"methods": [
"oauth2"
],
"oauth2": {
'access_token_id':access_token
}
}
}
In order to check user information that you want (user id, user name) having an oauth2 token you have to perform the following request:
http:/account.lab.fiware.org/user?access_token=token
as explained here: https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance#get-user-information-and-roles <https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance#get-user-information-and-roles>
You can not retrieve info about tenants because the oauth2 token is an unscoped token.
>
>
> Technical detail of the steps:
> - The rest call to 'https://cloud.lab.fiware.org/keystone/v3/auth/tokens' <https://cloud.lab.fiware.org/keystone/v3/auth/tokens'> returns the Keystone token in the http header ‘x-subject-token’. The JavaScript code running inside the browser is unable to read this header due to CORS restrictions.
> o Solution 1: put the resulting token in a ‘X-Auth-Token’ header too.
> o Solution 2: put the token in the response’s JSON body.
> o Solution 3: update the CORS policies to allow using the ‘Access-Control-Allow-Headers’ to authorize the ‘Access-Control-Request-Headers’ and perhaps some other tweaks.
>
This is a behaviour imposed by openstack keystone, so we cannot change nothing there. Anyway I don’t understand your problem. You should’t have problems extracting the token, in fact I do so in the cloud portal.
> - We are missing one of the 2 values to properly use the previous API call:
> o The user’s tenant id:
> § Because a call to the rest endpoint 'https://cloud.lab.fiware.org/keystone/v3/authorized_organizations/wzU_an_idm_token' <https://cloud.lab.fiware.org/keystone/v3/authorized_organizations/wzU_an_idm_token'> or to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' <https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token'> returns an empty result
> · Solution 1: grant rights to the ‘FIC2Lab Runner’ (1d75df2ec0c1478db98a3c8db3169d63) on the IdM. This is difficult for us to do because we don’t have the necessary authorization or documentation.
> o The user’s tenant name:
> § Because the call to the rest endpoint 'https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token' <https://account.lab.fiware.org/user?access_token=wzU2_an_idm_token'> is blocked by CORS policies.
> · Solution 2: update the CORS policies
If you are a Basic user you have not any organization authorised in the cloud portal
If you are a trial or a community user you will have your cloud organization authorised in the cloud portal. In order to authorise other users inside your cloud organization:
1. Access https://account.lab.fiware.org and login
2. Switch to your Cloud organization using the "Switch session" option in the dropdown in the left upper corner.
3. Go to "Members" in the left side pannel.
4. Add the user you want to authorize as a member of the org using the "Manage" button
5. Authorize the user inside Cloud Application giving him the role "Member" using the "Authorize" button
>
>
> Last 2 tickets:
> - https://jira.fi-ware.org:8443/browse/HELP-3055 <https://jira.fi-ware.org:8443/browse/HELP-3055>
> - https://jira.fi-ware.org:8443/browse/HELP-3061 <https://jira.fi-ware.org:8443/browse/HELP-3061>
>
>
> Thank you very much for your help.
>
> Best regards,
>
> Mario & Geoffroy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-lab-help/attachments/20150522/b1b83b9e/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy