OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
We're trying to get the PEP Proxy to check the permissions in the IDM and take the Fiware-Service / NGSILD-Tenant header into account.
The Wilma PEP Proxy allows us to set the PEP_PROXY_TENANT_HEADER env, which in turn sets the config.authorization.header config var. This together with Keyrock's permissions, which allows us to set the service header value (added through #157, if I'm correct):
But, unfortunately, it's not working.
When trying to fetch entities through the PEP Proxy, with an Oauth2 access token which has the above-mentioned permission, the access is denied: User access-token not authorized.
If we uncheck the "Use Authorization Service Header" value in the permission, it does work.
Now I've been digging through the code of both the IDM and the PEP Proxy to see what's happening under the hood. So far, I've followed it too:
I've been using v7.9.2 of both GE's. And, I've tried using the latest v8.4.0 versions of both, which also had interesting results. Instead of the request being denied when the permission has the "Use Authorization Service Header" enabled, it ignores it entirely, and allows any value to be passed. Making it possible to fetch entities from any tenant, regardless of the permissions configured value.
Hoping anyone has some idea of what might be the issue. And, whether the above-mentioned functionality is actually supported, as I haven't found any references in the documentation.
Hey guys,
We're trying to get the PEP Proxy to check the permissions in the IDM and take the
Fiware-Service/NGSILD-Tenantheader into account.The Wilma PEP Proxy allows us to set the
PEP_PROXY_TENANT_HEADERenv, which in turn sets theconfig.authorization.headerconfig var. This together with Keyrock's permissions, which allows us to set the service header value (added through #157, if I'm correct):But, unfortunately, it's not working.
When trying to fetch entities through the PEP Proxy, with an Oauth2 access token which has the above-mentioned permission, the access is denied:
User access-token not authorized.If we uncheck the "Use Authorization Service Header" value in the permission, it does work.
Now I've been digging through the code of both the IDM and the PEP Proxy to see what's happening under the hood. So far, I've followed it too:
&authorization_service_headerquery parameter with the above fetched value to the request, which goes to the IDMauthorization_service_headerquery parameter and passing it into the authenticate methodsuse_authorization_service_headerenabled, checking theauthorization_service_headervalue against theoptions.service_headerI've been using v7.9.2 of both GE's. And, I've tried using the latest v8.4.0 versions of both, which also had interesting results. Instead of the request being denied when the permission has the "Use Authorization Service Header" enabled, it ignores it entirely, and allows any value to be passed. Making it possible to fetch entities from any tenant, regardless of the permissions configured value.
Hoping anyone has some idea of what might be the issue. And, whether the above-mentioned functionality is actually supported, as I haven't found any references in the documentation.
Thanks in advance!
Rob