Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InvalidAuthenticationToken while trying to access Orion-LD #155

Open
emiliocimino opened this issue Oct 3, 2023 · 1 comment
Open

InvalidAuthenticationToken while trying to access Orion-LD #155

emiliocimino opened this issue Oct 3, 2023 · 1 comment

Comments

@emiliocimino
Copy link

Dear all,

I would like to understand what is not working in the overall system I set up. The idea is just protecting Orion-LD with a pep-proxy, without the use of specific portals and apps. I will provide a series of screenshots, from the docker-compose configuration to all logs.

Let me premise that the idea of the configuration is to provide the minimum set of components necessary to allow users to GET/PATCH some of the ORION resources, such as "entities" and "subscriptions" based on a role assigned to a user. To achieve this, I made a docker-compose with orion, keyrock and wilma.

  • The first doubt starts here: do I need level 2 (basic authorization) or a level 3 (ABAC authorization) to achieve this? Because it seems quite confusing. From what I understood, to achieve User+HTTP Verb+Resource access it is sufficient a basic authorization, however from others tutorial it seems I need to set up ABAC.

To cut through the bull, I added AuthZforce to the docker compose. The configuration is the following one:
image
image
image
image

All components set up correctly, so I am sure they started correctly.
The first thing I did is opening the keyrock GUI and create an user, an application, a role and two permissions:
image
with authorized users:
image
with role:
image
and permissions:
image
image
Once set up everything, I noticed that AuthZForce created successfully its policy in a folder.

Then I opened postman, trying to follow different routes for accessing orion. I premise that I'm now showing the administrator user, however the same problem happened with the newly-created user.
The basic flow:
image
image
image
Not working, however with this token I am able to query keyrock APIs (i.e obtaining information) about pep-proxy of the app, roles, permissions, etc:
image

Oauth2 flow:
image
image
Not working, neither for searching pep-proxy info:
image

Then, the following screenshots are about docker logs:

  • Keyrock: creation of an oauth2 token + test access resource
    image
  • Wilma: authorizing user
    image
  • AuthZForce: Doing nothing after starting
    image

From what I understood, the PEP proxy is not working properly, for some reason. Any clue? I hope I described well the problem, if you think this should be an issue of other repositories, please, feel free to move it.
Thanks everyone.
@SandeepKundalwal
Copy link

Hey @emiliocimino

I am facing the same issue. Were you able to solve this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SandeepKundalwal @emiliocimino