Keyrock doesn't accept user, even when using admin

3
votes

I got two users created by me, admin, with admin permissions, and another user, now with admin permissions too, but initially community (i'll be referring to this account as community).

I've registered an application with the community user and associated the admin later. As callbackUrl i've registered the address below in my keyrock instance

<keystone ip>:/oauth2/token

The request i am making to get oauth2 follows below, it uses https://raw.githubusercontent.com/Bitergia/fiware-chanchan-docker/master/images/pep-wilma/4.3.0/auth-token.sh as a guideline. I've changed the user,pass, host, client id and app secret

curl -s --insecure -i --header "Authorization: Basic NmJjODMyMWMzNDQwNGVlYzkwYzNhNzhlYTU0ZTE2NjY6M2YwMzQyZjE4ZTM1NGI0ZDg5YjhlYWVkNTZmNGI5Mjc=" --header "Content-Type: application/x-www-form-urlencoded" -X POST http://<keyrock IP>/oauth2/token -d 'grant_type=password&username=<user>&password=<pass>&client_id=<clientID>&client_secret=<secret>'

The request reaches the keystone and it replies with a 404 (access token not found).

When i try to get oauth2 tokens from keyrock for both the admin and the community, it says 

Error: Root - User access-token not authorized

I can login in horizon with both users.

What did i miss in order to get a oauth2 token from idm?

Edit: Code used to create users:

users_default_pass = '...'
user0 = _register_user(keystone,"user0",passwd=users_default_pass)
keystone.roles.grant(user=user0.id,role=keystone.roles.find(name='community'), project=user0.default_project_id)

Edit2: raw response and response from keystone captured with tcpflow

request:

POST /oauth2/token HTTP/1.1
User-Agent: curl/7.35.0
Host: 130.206.118.xxx:5000
Accept: */*
Authorization: Basic ZWU2YmFjMWNjOTQ3NDdhNmI4MTU3NDdiNDk5NmVhZjQ6NTRkY2NjMjgxODhhNDMxYTk4OTY3MjkwN2UxYjIxYzY=
Content-Type: application/x-www-form-urlencoded
Content-Length: 143

grant_type=password&username=admin&password=admin&client_id=ee6bac1cc94747a6b815747b4996eaf4&client_secret=54dccc28188a431a989672907e1b21c6
write error to stdout

response:

HTTP/1.1 404 Not Found
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 93
Date: Wed, 09 Sep 2015 09:46:19 GMT

{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}
write error to stdout
1
fiwarekeystone
How did you create the users and assigned the permissions? If you used the Keystone REST API, could you provide the requests you sent? Just to try to reproduce italbertinisg
I just replicated the python code used to create test accounts (inside a fabric task). I merely changed the username. I then run the solution given here: stackoverflow.com/questions/32092430/… to give admin to every accountjccampos
Ok, I'll try to reproduce it and give you an answer! :)albertinisg
I cannot reproduce the error. I've created a user as you said, and I can retrieve the token both using curl and the script. The response is 404 access token not found sounds really strange for me while doing that request. Which response does curl return?albertinisg
@albertinisg I'll edit the main post to contain the raw request and responsejccampos

1 Answers

4
votes

Took me a while to find it :)

In KeyRock, oauth2 is implemented in Horizon. Looking at your request, I've found couple things:

  • You are using HTTP instead of HTTPS
  • Requests are being sent against port 5000 (usually Keystone)

That made me think that your requests are going against Keystone.

By default, KeyRock handles oauth2 requests at Horizon, which means, use https and port 443. As you said, doing requests against Keystone fails:

  HTTP/1.1 404 Not Found
  Vary: X-Auth-Token
  Content-Type: application/json
  Content-Length: 93
  Date: Wed, 09 Sep 2015 15:36:34 GMT

  {"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}

Make sure you do the request against Horizon with HTTPS and port 443 and everything should work!