Hi!
I have been battling with this on and off all week following every tutorial both video and written I can find, but whatever I try I have not been able to get past "User not authorized in application" even though I am convinced my test user is authorized to use the application.
I am using the lab tutorials.PEP-Proxy docker containers for this exercise without Authzforce - I do not believe we need a complicated level of authorization at this stage and so I want to keep things as simple as possible.
Here are my steps:
Using Keyrock GUI:
<http://www.chalmers.se>
1. Create user
2. Create application with PEP proxy but do not add new user as authorized user to application at this stage:
[cid:8637e033-50b3-4adb-9fed-5a085a71120c]
3. Create simple new permission "get-store" and assign to new role "test-get":
[cid:b6742e0b-4151-4a6e-91e9-6694f70a075e]
In a terminal:
4. using the new application client_id and client_secret, create an authorization token:
$ echo -n client_id:client_secret | base64 -w 0
NjU5Zm...DmU1Nw==
5. using the authorization token from step 4, the user's email address as the username and the user's password, generate an access token:
$ curl -X POST 'http://localhost:3005/oauth2/token' -H 'Accept: application/json' -H 'Authorization: Basic NjU5ZmQyND.........mU1Nw==' -H 'Content-Type: application/x-www-form-urlencoded' --data "username=user at email.com&password=password&grant_type=password"
{"access_token":"edd91b...e35e00","token_type":"bearer","expires_in":3599,"refresh_token":"ff719d...2dfbe5","scope":["bearer"]}
6. Check if user authorized for application - as expected: "authorization_decision":"Deny"
$ curl -X GET 'http://localhost:3005/user?access_token=edd91b...e35e00&action=GET&resource=/v2/entities/test&app_id=application_client_id'
{"organizations":[],"displayName":"","roles":[],"app_id":"application_client_id","trusted_apps":[],"isGravatarEnabled":"","id":"user_id","authorization_decision":"Deny","app_azf_domain":"","eidas_profile":{},"attributes":{},"shared_attributes":"","username":"username","email":"user at email.com","image":"","gravatar":"","extra":""}
7. Now (in Keyrock GUI) add new user as authorized user with role "test-get" to the application and check again - now: "authorization_decision":"Permit" for role "test-get"
$ curl -X GET 'http://localhost:3005/user?access_token=edd91b...e35e00&action=GET&resource=/v2/entities/test&app_id=application_client_id'
{"organizations":[],"displayName":"","roles":[{"id":"role_id","name":"test-get"}],"app_id":"app_id","trusted_apps":[],"isGravatarEnabled":"","id":"user_id","authorization_decision":"Permit","app_azf_domain":"","eidas_profile":{},"attributes":{},"shared_attributes":"","username":"username","email":"user at email.com","image":"","gravatar":"","extra":""}
8. Back in a terminal as user, attempt to retrieve store information:
$ curl -iX GET http://localhost:1027/v2/entities/urn:ngsi-ld:Store:001 -H 'X-Auth-token: edd91b...e35e00'
HTTP/1.1 401 Unauthorized
...
User not authorized in application
pep-orion-proxy log shows:
2021-02-26T08:20:35.204 - INFO: IDM-Client - Checking token with IDM...
2021-02-26T08:20:35.225 - ERROR: IDM-Client - Error in IDM communication "User not authorized in application"
2021-02-26T08:20:35.226 - ERROR: Root - User not authorized in application
keyrock log shows:
ri, 26 Feb 2021 08:21:10 GMT idm:oauth_controller --> authenticate_token
Fri, 26 Feb 2021 08:21:10 GMT idm:oauth_controller --> authenticate_bearer
Fri, 26 Feb 2021 08:21:10 GMT idm:oauth2-model_oauth_server -------getAccesToken-------
Fri, 26 Feb 2021 08:21:10 GMT idm:oauth2-model_oauth_server -------create_oauth_response-------
Fri, 26 Feb 2021 08:21:10 GMT idm:oauth2-model_oauth_server -------search_user_info-------
Fri, 26 Feb 2021 08:21:10 GMT idm:oauth2-model_oauth_server -------trusted_applications-------
Fri, 26 Feb 2021 08:21:10 GMT idm:oauth2-model_oauth_server -------user_roles-------
Fri, 26 Feb 2021 08:21:10 GMT idm:oauth2-model_oauth_server -------user_permissions-------
Fri, 26 Feb 2021 08:21:10 GMT idm:oauth_controller Error { message: 'User not authorized in application',
code: 401,
title: 'Unauthorized' }
I'm sure I'm missing something but I'm not sure exactly what - please can you help me get over this hurdle?
Thank you so much!
Taz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20210226/e7b3a444/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2021-02-26 09-42-54.png
Type: image/png
Size: 6809 bytes
Desc: Screenshot from 2021-02-26 09-42-54.png
URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20210226/e7b3a444/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2021-02-26 09-36-24.png
Type: image/png
Size: 8746 bytes
Desc: Screenshot from 2021-02-26 09-36-24.png
URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20210226/e7b3a444/attachment-0003.png>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy