1

I have installed orion Context Broker and pep proxy on my machine. I am targeting the global instance of keyRock and the AuthZforce to authenticate the context broker.

Here is my config.js:

var config = {};

config.pep_port = 1307;

// Set this var to undefined if you don't want the server to listen on HTTPS
config.https = {
    enabled: false,
    cert_file: 'cert/cert.crt',
    key_file: 'cert/key.key',
    port: 443
};

config.account_host = 'https://account.lab.fiware.org';
config.keystone_host = 'cloud.lab.fiware.org';
config.keystone_port = 4731;


config.app_host = 'localhost';
config.app_port = '1026';

config.username = '<my fiware lab username>';
config.password = '<my fiware lab pass>';



// in seconds
config.chache_time = 300;

// if enabled PEP checks permissions with AuthZForce GE.
// only compatible with oauth2 tokens engine
config.azf = {
    enabled: false,
    host: 'auth.lab.fiware.org',
    port: 6019,
    path: '/authzforce/domains/d698df7f-ffd4-11e4-a09d-ed06f24e1e78/pdp'
};

// list of paths that will not check authentication/authorization
// example: ['/public/*', '/static/css/']
config.public_paths = [];

// options: oauth2/keystone
config.tokens_engine = 'oauth2';

config.magic_key = undefined;

module.exports = config;

when I do node server.js I successfully get: 

Starting PEP proxy in port 1307. Keystone authentication ...
Success authenticating PEP proxy. Proxy Auth-token:  e2189bdc1a8b4aae9280b0fd5a6ae8a0

following this installation and administration guide I did the following command:

curl --header "X-Auth-Token:e2189bdc1a8b4aae9280b0fd5a6ae8a0" http://localhost:1307

From there I get this message:

[TOKEN] Checking token with IDM...
User access-token not authorized

I am seriously at a loss here and don't know how access context broker via these three intermediaries?

Whose host am I supposed to ask a token from?

I dont know if I am even asking the right questions. The point of all this is to secure an access to context broker.

Edit 1

After setting up the auth-token.sh, I got the following error:

<orionError>
  <code>400</code>
  <reasonPhrase>Bad Request</reasonPhrase>
  <details>service not found</details>
</orionError>

The node server.js reported this:

Starting PEP proxy in port 1307. Keystone authentication ...
Success authenticating PEP proxy. Proxy Auth-token:  b90604bc94134c1a81414e97a23196f3


[TOKEN] Checking token with IDM...
[ROOT] Access-token OK. Redirecting to app...

previusly the command: sh auth-token.sh <username> <pass> gave me:

X-Auth-Token for '<my email on fiware lab>': OxFTGtMM6ckBa7FQCUmwvvhj6GQYFc

and then I just curl --header "X-Auth-Token:OxFTGtMM6ckBa7FQCUmwvvhj6GQYFc" http://localhost:1307 which gave me the before mentioned error.

frb
  • 3,738
  • 2
  • 21
  • 51
Vrankela
  • 1,162
  • 3
  • 16
  • 39

2 Answers2

2

The token shown in the boot screen of the PEP Proxy is not the one you need to authenitcate at the PEP Proxy. Please have a look at the description here: Wilma pep proxy and keystone - valid access token not found.

The easy way is the following:

Download the file provied here: https://raw.githubusercontent.com/Bitergia/fiware-chanchan-docker/master/images/pep-wilma/4.3.0/auth-token.sh

Replace the CLIENT_ID and CLIENT_SECRET with the ones you get from the FIWARE Lab. Also replace https://idm/oauth2/token with https://account.lab.fiware.org/oauth2/token Then just run:

   sh auth-token.sh <user-email> <password>

The script will display you the Auth token for the user account you have used. The you can run the following to access the Orion Context Broker:

   curl --header "X-Auth-Token: <AUTH-TOKEN-DISPLAYED>" http://localhost:1307

You should now receive a proper response from orion, which should run, based on your configuration, on port 1026. Make also sure you have configured the the redirect URL in the FIWARE Lab correctly.

Community
  • 1
  • 1
geissler
  • 56
  • 2
  • I still have a problem and just updated my question, look for Edit 1 please. Keep in mind that I double checked and that context broker is indeed running. – Vrankela Aug 31 '15 at 07:01
2

The answer given from @geissler is correct. Regarding the Edit 1, this is not an error returned by PEP, Authzforce or KeyRock, is an error regarding Orion Context Broker usage.

Doing 

curl --header "X-Auth-Token:OxFTGtMM6ckBa7FQCUmwvvhj6GQYFc" http://localhost:1307

You are not querying any operation, and that's why you receive this error. Please check the Orion User and Programmers Guide to find out how to use Orion Context Broker.

For end to end testing, you can always query Orion just to retrieve the Version by doing:

curl --header "X-Auth-Token:OxFTGtMM6ckBa7FQCUmwvvhj6GQYFc" http://localhost:1307/version

So if you get it, you will properly access the protected Orion.

albertinisg
  • 491
  • 4
  • 12
  • it works when I querry the info, for example: `curl --header "X-Auth-Token:OxFTGtMM6ckBa7FQCUmwvvhj6GQYFc" http://localhost:1307/v1/queryContext -s -S --header 'Content-Type: application/json' --header 'Accept: application/json' -d @- | python -mjson.tool) < ` command if I am not physically in the folder like now? Is there a curl or http get command for this? – Vrankela Aug 31 '15 at 11:14
  • It depends on where you have the script and from where you are executing it. For example, we are using docker and, to run the script outside the container, we use `docker exec` against the container, like `docker exec -i -t auth-token.sh user0@test.com test`. If you are using a virtual machine, you can launch it through `ssh`, just doing `ssh user@host "sh auth-token.sh | awk '{print \$1}'"` – albertinisg Aug 31 '15 at 12:12
  • The point of my qustion is to acqure the token. Is there another way to achevie this or must I use the shell script with the method you just described? For instance can I use java to get the token? – Vrankela Aug 31 '15 at 14:16
  • You can achieve it using java or any language you would like to. We've used `bash` for simplicity, but of course you can use java, python, javascript or any language you feel more comfortable with. Just make sure you follow one of the two supported types of oauth2 authentication as stands here https://github.com/ging/fi-ware-idm/blob/master/doc/oauth2.md – albertinisg Sep 01 '15 at 12:20