Fiware - How to integrate Keyrock IdM, Wilma PEP Proxy and Orion Context Broker?

2
votes

I read all the documentation of Keyrock and Wilma and I watched all the videos in the FIWARE Academy, but I still do not get success in this integration. I am searching for this since a few days ago, but without success. I think the FIWARE documentation could have tutorials, hands on...

I have a VM with Orion Context Broker and a container with Keyrock IdM and Wilma PEP Proxy. I am trying to generate an access token to grant access for an application, but I still did not get it. Besides, I would like to know how can I securely exchange messages between the Orion Context Broker and some IoT devices. Indeed, it is complicated to think about IoT devices having to access a screen and put their credentials to authenticate and to be authorized like the Keyrock IdM examples show. What do you sugest?

3
fiwarefiware-orionfiware-wilma
I recommend you to follow the steps explained in Lesson 3 of Keyrock courses (edu.fiware.org/course/view.php?id=79) to know how to create OAuth2 tokens. Detailed documentation can be faund here (fiware-idm.readthedocs.io/en/latest/oauth2.html). Regarding Orion questions, my colleagues from IoT team will help you.Álvaro Alonso
Reading the question post, not sure which specific question is for Orion... @Dalton, could you elaborate a little bit, please? Thx!fgalan
Dear @Alvaro , I already had watched all the videos in Fiware Academy, including the lesson 3 (I watched it two times). I had problems creating the access token in my local instance of IdM. I already had created the application in my IdM portal, what gave me the client ID and the secret ID. But I had doubts in how to request a valid access token. Now, after search a bit more, I found out and got an access token with a POST to idm:8000/oauth2/token. I tested it requesting the user info with idm:8000/user?access_token="mytoken" and it worked.Dalton Cézane
Now, I have another doubt, @Alvaro : what is the difference between the token got with POST idm:8000/oauth2/token (Keyrock Horizon) and the token got with GET idm:5000/v2.0/tokens (Keyrock Keystone)? Could you please explain me and give me examples?Dalton Cézane
@Dalton, tokens created using Keystone API (/v2.0/tokens) are exactly that, Keystone tokens used normally to perform actions with Openstack services. On the other hand, tokens created using the OAuth2 API (/oauth2/token) are access tokens used to authenticate users in the scope of external applications following OAuth2 specificationÁlvaro Alonso

3 Answers

2
votes

Seeing the answer of @albertinisg here, I found a bash script for token request. I changed it to use with my local instances and it worked.

After registering my application at FIWARE Portal (more information here), I had to make a POST request to http://idm:8000/oauth2/token (idm is my local instance of Keyrock). With this valid token, I can access the content in Orion.

import requests, json, getpass

TOKEN_URL = "http://idm:5000/v2.0/tokens"

USER = raw_input("Username: ")
PASSWORD = getpass.getpass("Password: ")
PAYLOAD = "{\"auth\": {\"passwordCredentials\": {\"username\":\""+USER+"\", \"password\":\""+PASSWORD+"\"}}}"
HEADERS =  {'content-type': 'application/json'}
RESP = requests.post(TOKEN_URL, data=PAYLOAD, headers=HEADERS)

PEP Proxy (Wilma) configuration (config.js):

config.app_host = 'my_orion_ip'; //change to your Orion address
config.app_port = '1026'; //change to your Orion port

config.username = 'pep_proxy_credential_obtained_at_portal';
config.password = 'password_obtained_at_portal';

With the valid token and the PEP Proxy (Wilma) server running with this configuration, it is possible to control the access to Orion doing a request to PEP Proxy address. The PEP Proxy will redirect this request to IdM (Keyrock) so that IdM can verify the user/device credentials. If the credentials are valid, the user/device will receive a valid token and now PEP Proxy can allow the access to Orion.

For HTTPS communication, I configured a Nginx server to act like a reverse proxy (.conf file): 

server {
   listen       443;
   server_name  orion;

   ssl                  on;
   ssl_certificate      /etc/nginx/ssl/orion.crt;
   ssl_certificate_key  /etc/nginx/ssl/orion.key;
   ...
   ...
   location / {
      #root   orion:1026;   #/var/www/yourdomain.com;
       #index  index.php index.html index.htm;
       proxy_set_header        Host $host;
       proxy_set_header        X-Real-IP $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        X-Forwarded-Proto $scheme;

       # Fix the “It appears that your reverse proxy set up is broken" error.
       proxy_pass          http://orion:1026;
       proxy_read_timeout  90;
       proxy_redirect      http://orion:1026 https://orion;
   }
}

I made a simple tutorial about the integration of FIWARE Orion, Wilma and Keyrock: https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma

I hope this answer can help someone else.

2
votes

Regarding Orion, it depends on the interface to be secured, either the service API (i.e. the listening REST server that Orion runs typically at port 1026), the notification API or both:

  • Regarding service API:
    • Authentication & authorization: it can be implemented through PEP. The following documentation introduces two PEP alternative implementations. However, note that PEP doesn't work standalone, as it also needs the IDM and Access Control to work. I understand that @Alvaro can explain this topic in detail (with regards to Wilma PEP). It is out of my knowledge.
    • Encryption: it can be implemented by a proxy acting as HTTPS-to-HTTP bridge (e.g. ngnix) or by Orion itself using the -https CLI parameter (which works in combination with -key and -cert). This section of the documentation elaborates on it.
  • Regarding notification API:
    • Authentication & authorization: the current implementation of custom notifications (see "Custom notifications" section in the NGSIv2 specification) allows you to include custom HTTP headers that could be used for authentication (e.g. the X-Auth-Token header needed by a PEP instance protecting your endpoint). Note that this is currently done in an static way, i.e. Orion is not able to interact directly with IDM/AccessControl to set the X-Auth-Token value dynamically after expiration, etc. However, it would be possible to develop a process able to do this and set the proper header (if you are interested in this I'd recommend to check "How to add a custom header in outgoing notifications with Orion?" post).
    • Encryption: it can be implemented relaying in Rush component. This section of the documentation elaborates on it.

UPDATE: since verion 1.7.0, Orion implements native HTTPS notifications (i.e. without needing Rush).

0
votes

The following presentation shows you step by step how to create a FIWARE-Based IoT Platform and to secure it using a PEP Proxy, Keystone and Keypass.

https://docs.google.com/presentation/d/18LaWZSK4h2wncPF6hNAwK5MToLvJesR3XLrzsqrsmrw/edit?usp=sharing

I hope this helps

thanks