I'm trying to integrate Keyrock and PEP Proxy in order to secure the access to the Context Broker but I'm having some issues.
What I want to achieve is that only determined users registered in Keyrock can access to the Context Broker.
I followed Fiware tutorials but in that development scene there is an application which listens on port 3000 that is registered in Keyrock. But how can I get the same result without that tutorial application? Can't I secure access to the Context Broker without an application?
If it's possible, it would be nice some help. Here you have relevant part of my docker-compose file:
keyrock:
image: fiware/idm:${KEYROCK_VERSION}
container_name: fiware-keyrock
hostname: keyrock
networks:
default:
ipv4_address: 172.18.1.5
depends_on:
- mysql-db
ports:
- "${KEYROCK_PORT}:${KEYROCK_PORT}" # localhost:3005
- "${KEYROCK_HTTPS_PORT}:${KEYROCK_HTTPS_PORT}" # localhost:3443
environment:
- "DEBUG=idm:*"
- "IDM_DB_HOST=mysql-db"
- "IDM_DB_PASS_FILE=/run/secrets/my_secret_data"
- "IDM_DB_USER=root"
- "IDM_PORT=${KEYROCK_PORT}"
- "IDM_HOST=http://localhost:${KEYROCK_PORT}"
- "IDM_HTTPS_ENABLED=${IDM_HTTPS_ENABLED}"
- "IDM_HTTPS_PORT=${KEYROCK_HTTPS_PORT}"
- "IDM_ADMIN_USER=admin"
- "[email protected]"
- "IDM_ADMIN_PASS=1234"
secrets:
- my_secret_data
healthcheck:
interval: 5s
# Database
mysql-db:
restart: always
image: mysql:${MYSQL_DB_VERSION}
hostname: mysql-db
container_name: db-mysql
expose:
- "${MYSQL_DB_PORT}"
ports:
- "${MYSQL_DB_PORT}:${MYSQL_DB_PORT}"
networks:
default:
ipv4_address: 172.18.1.6
environment:
- "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data"
- "MYSQL_ROOT_HOST=172.18.1.5" # Allow Keyrock to access this database
volumes:
- mysql-db:/var/lib/mysql
secrets:
- my_secret_data
orion-proxy:
image: fiware/pep-proxy
container_name: fiware-orion-proxy
hostname: orion-proxy
networks:
default:
ipv4_address: 172.18.1.10
depends_on:
- keyrock
ports:
- "1027:1027"
expose:
- "1027"
environment:
- PEP_PROXY_APP_HOST=orion
- PEP_PROXY_APP_PORT=1026
- PEP_PROXY_PORT=1027
- PEP_PROXY_IDM_HOST=keyrock
- PEP_PROXY_HTTPS_ENABLED=false
- PEP_PROXY_AUTH_ENABLED=false
- PEP_PROXY_IDM_SSL_ENABLED=false
- PEP_PROXY_IDM_PORT=3005
- PEP_PROXY_APP_ID= <Obtained in Keyrock>
- PEP_PROXY_USERNAME= <Obtained in Keyrock>
- PEP_PASSWORD= <Obtained in Keyrock>
- PEP_PROXY_PDP=idm
- PEP_PROXY_MAGIC_KEY=1234
In order to test it, I registered a test application with URL localhost:1026 (orion context broker URL) with a PEP Proxy (from which I got PEP_PROXY_APP_ID, PEP_PROXY_USERNAME and PEP_PASSWORD).
When I run the docker containers it works but the problem comes when I try to get an access token using this bash (changing CLIENT_ID and CLIENT_SECRET to those obtained in the OAuth2 field of the application and https://idm/oauth2/token to http://localhost:3005/oauth2/token) with admin credentials.
I get invalid_client: Invalid client: client is invalid error.
If you need to see any more file just ask me.
regarding the first question, yes, it is mandatory to create a Keyrock's application to protect Orion. You have also to create some roles and permissions in the application and assign them to the users you want. Check the FIWARE tutorial about roles and permissions
Regarding the "client is invalid error", I guess something went wrong in the bash script when parsing the credentials from the JSON file. I have tested hardcoding the client id, client secret and username/password in the bash script and Keyrock creates the token successfully (check also the access token display as the response of Keyrock is a JSON).