Our authentication process uses the refresh_token grant type to obtain an access_token that can be used to authenticate the request to the Context Broker.

Following the standard (https://tools.ietf.org/html/rfc6749#section-5.2), it seems that error response codes should be HTTP 400 (bad request). Nevertheless, in our tests Keyrock is returning HTTP 500 Internal Server Error. Moreover, the standard states that the error description shall appear in a field called ‘error’ but Keyrock returns this value as part of a field called ``name` together with some additional information (status, code, message, statusCode). It’s curious that the field statusCode is actually 400…

I could not get details about the version of the component that it is running in one instance. It should follow the FIWARE recommendation defined in the document:

Add /version to the RESTful API

.travis is missing a before_script check to ensure the files are linted - i.e. npm run lint

Related PR - #69

• Adding a lint check is a SHOULD requirement from the TSC

i'm using the idm 7.5.0 Docker container, and when i want to create an application using the Oauth2 API, or i want to assign a permission or a role using the API, the result is an internal server error 500.

The API can detect when the application creation request lacks of the redirect uri, but when this is included always presents the error.

I'm trying to execute the FIWARE Idm behind a firewall (I'm using the docker version), but it is really difficult because it seems that some background parts use a range of ports to connect to the (i think it is a) backend.
Specifically, I noticed (through tshark) that it uses a port among 47870 and 47900 to run the server, but I'm not sure they are limited to this range only.

Is there any way of specifying such interval or, better, choose a fixed port?

Thank you in advance

With the following docker compose,

  keyrock:
    image: fiware/idm
    container_name: fiware-keyrock
    hostname: keyrock
    depends_on:
      - mysql-db
      - authzforce
    ports:
      - "3005:3005"
    environment:
      - IDM_PDP_LEVEL=advanced
      - IDM_AUTHZFORCE_ENABLED=true
      - IDM_AUTHZFORCE_HOST=authzforce
      - IDM_AUTHZFORCE_PORT=8080
    secrets:                
      - my_secret_data

  authzforce:
    image: fiware/authzforce-ce-server
    hostname: authzforce
    container_name: fiware-authzforce
    ports: 
      - "8080:8080"

When updating an application's roles and permissions, the policies are not sent to Authzforce.

The Debug log states:

Connection with Authzforce: 200
...
web-authzforce_controller DOMAIN OF APPLICATION IS: gQqnLOnIEeiBFQJCrBIBDA
web-authzforce_controller POLICY ID: f8194af5-8a07-486a-9581-c1f05d05483c
web-authzforce_controller VERSION OF POLICY: 1
web-authzforce_controller RESPONSE CODE FROM POLICY ACTIVATION: 406
web-authzforce_controller Authzforce activate policy: error

Hello dear support,
please help 2 weeks i am struggling to get work Biz Ecosystem with my local fiware-idm.
It's working perfectly with the online lab but with my local fiware-idm it's trowing:

invalid_scope: Invalid scope: Requested scope is invalid
at new InvalidScopeError (/opt/fiware-idm/node_modules/oauth2-server/lib/errors/invalid-scope-error.js:25:14)
at /opt/fiware-idm/node_modules/oauth2-server/lib/grant-types/abstract-grant-type.js:117:17
at tryCatcher (/opt/fiware-idm/node_modules/bluebird/js/release/util.js:16:23)
at Promise._settlePromiseFromHandler (/opt/fiware-idm/node_modules/bluebird/js/release/promise.js:512:31)
at Promise._settlePromise (/opt/fiware-idm/node_modules/bluebird/js/release/promise.js:569:18)
at Promise._settlePromiseCtx (/opt/fiware-idm/node_modules/bluebird/js/release/promise.js:606:10)
at Async._drainQueue (/opt/fiware-idm/node_modules/bluebird/js/release/async.js:138:12)
at Async._drainQueues (/opt/fiware-idm/node_modules/bluebird/js/release/async.js:143:10)
at Immediate.Async.drainQueues (/opt/fiware-idm/node_modules/bluebird/js/release/async.js:17:14)
at runCallback (timers.js:810:20)
at tryOnImmediate (timers.js:768:5)
at processImmediate [as _immediateCallback] (timers.js:745:5)
statusCode: 400,
status: 400,
code: 400,
message: 'Invalid scope: Requested scope is invalid',
name: 'invalid_scope'

Hello, I have checked the date of the last image (/fiware/idm) on dockerhub is older than the last commits date, in particular the integration of postgres support is 21 days old, and the last image is one month old:
https://hub.docker.com/r/fiware/idm/tags
also it seems there's no automated build.

wich is the substitute of the Openstack API for the managment of roles, users and permissions?

In the previous version for example, to generate a token for manage keystone the Request has this structure:

curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "[email protected]",
          "domain": { "id": "default" },
          "password": "1234"
        }
      }
    }
  }
}' \
  "http://localhost:3000/v3/auth/tokens" ; echo

But in this version the response is this:

{
    "error": {
        "message": "Expecting to find name and password or token in body request",
        "code": 400,
        "title": "Bad Request"
    }
}

The funniest part is that playing with the json structure when this is the request:

curl -i \
  -H "Content-Type: application/json" \
  -d '
{
	"name": "[email protected]",
        "password": "1234"
}' \
  "http://localhost:3000/v3/auth/tokens" ; echo

this is the answer:

{
    "token": {
        "methods": [
            "password"
        ],
        "expires_at": "2018-05-02T12:29:23.662Z"
    }
}

And presents an 401 error in the response if the password or name is wrong, In any case the token is useless,

I'm trying to fetch all users authorized in an application including username, email and roles with a defined role Administrator into the application but it seems to be impossible (If not, please tell me how).

So my approach now (only for this use case) is to make admin users (In IDM) to those who below to this mentioned application with Administrator role in order to get /users using the idm API.

Am I lost and is this possible or I should build a service between my front app and the idm or fork the project?

npm start

[email protected] start /home/raiuli/fiware-idm
node ./bin/www

sequelize deprecated String based operators are now deprecated. Please use Symbol based operators for better security, read more at http://docs.sequelizejs.com/manual/tutorial/querying.html#operators node_modules/sequelize/lib/sequelize.js:242:13
/home/raiuli/fiware-idm/node_modules/nodemailer/lib/mailer/index.js:31
compile: [(...args) => this._convertDataImages(...args)],
^^^

SyntaxError: Unexpected token ...
at exports.runInThisContext (vm.js:53:16)
at Module._compile (module.js:374:25)
at Object.Module._extensions..js (module.js:417:10)
at Module.load (module.js:344:32)
at Function.Module._load (module.js:301:12)
at Module.require (module.js:354:17)
at require (internal/module.js:12:17)
at Object. (/home/raiuli/fiware-idm/node_modules/nodemailer/lib/nodemailer.js:3:16)
at Module._compile (module.js:410:26)
at Object.Module._extensions..js (module.js:417:10)
at Module.load (module.js:344:32)
at Function.Module._load (module.js:301:12)
at Module.require (module.js:354:17)
at require (internal/module.js:12:17)
at Object. (/home/raiuli/fiware-idm/lib/mailer.js:1:80)
at Module._compile (module.js:410:26)
at Object.Module._extensions..js (module.js:417:10)
at Module.load (module.js:344:32)
at Function.Module._load (module.js:301:12)
at Module.require (module.js:354:17)
at require (internal/module.js:12:17)
at Object. (/home/raiuli/fiware-idm/lib/email.js:1:76)

npm ERR! Linux 4.13.0-36-generic
npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "start"
npm ERR! node v4.2.6
npm ERR! npm v3.5.2
npm ERR! code ELIFECYCLE
npm ERR! [email protected] start: node ./bin/www
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] start script 'node ./bin/www'.
npm ERR! Make sure you have the latest version of node.js and npm installed.
npm ERR! If you do, this is most likely a problem with the idm package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node ./bin/www
npm ERR! You can get information on how to open an issue for this project with:
npm ERR! npm bugs idm
npm ERR! Or if that isn't available, you can get their info via:
npm ERR! npm owner ls idm
npm ERR! There is likely additional logging output above.

npm ERR! Please include the following file with any support request:
npm ERR! /home/raiuli/fiware-idm/npm-debug.log

I configured the proxy to show all the debug messages to see why an user without a role can enter to the application, aparently the proxy only checks the token status.

fiware-pep          | 2018-12-05 15:05:44.283  - INFO: IDM-Client - Token in cache, checking timestamp...
fiware-pep          | 2018-12-05 15:05:44.283  - INFO: IDM-Client - dfd82857865d2f41364cc5be90db008e595733ab
fiware-pep          | 2018-12-05 15:05:44.284  - INFO: IDM-Client - Token in cache expired
fiware-pep          | 2018-12-05 15:05:44.285  - INFO: IDM-Client - Checking token with IDM...
fiware-pep          | 2018-12-05 15:05:44.285  - DEBUG: HTTP-Client - Sending  GET  to: http://172.24.1.11:3000/user?access_token=dfd82857865d2f41364cc5be90db008e595733ab
fiware-pep          | 2018-12-05 15:05:44.285  - DEBUG: HTTP-Client -  Headers:  { 'X-Auth-Token': '9cc7bded-fd2e-4dc7-9b09-a46ca8e2a2ae',
fiware-pep          |   Accept: 'application/json' }
fiware-pep          | 2018-12-05 15:05:44.285  - DEBUG: HTTP-Client -  Body:  undefined

The idm returns the user information...

fiware-idm          | Executing (default): SELECT `OauthAccessToken`.`access_token`, `OauthAccessToken`.`access_token` AS `accessToken`, `OauthAccessToken`.`expires` AS `accessTokenExpiresAt`, `OauthAccessToken`.`scope`, `OauthAccessToken`.`valid`, `User`.`id` AS `User.id`, `User`.`username` AS `User.username`, `User`.`email` AS `User.email`, `User`.`gravatar` AS `User.gravatar`, `User`.`extra` AS `User.extra`, `User`.`eidas_id` AS `User.eidas_id`, `Iot`.`id` AS `Iot.id`, `OauthClient`.`id` AS `OauthClient.id`, `OauthClient`.`grant_type` AS `OauthClient.grant_type` FROM `oauth_access_token` AS `OauthAccessToken` LEFT OUTER JOIN `user` AS `User` ON `OauthAccessToken`.`user_id` = `User`.`id` LEFT OUTER JOIN `iot` AS `Iot` ON `OauthAccessToken`.`iot_id` = `Iot`.`id` LEFT OUTER JOIN `oauth_client` AS `OauthClient` ON `OauthAccessToken`.`oauth_client_id` = `OauthClient`.`id` WHERE `OauthAccessToken`.`access_token` = 'dfd82857865d2f41364cc5be90db008e595733ab';
fiware-idm          | Executing (default): SELECT `trusted_oauth_client_id` FROM `trusted_application` AS `trusted_application` WHERE `trusted_application`.`oauth_client_id` = NULL;
fiware-idm          | Executing (default): SELECT `User_Organization`.`id`, `User_Organization`.`role`, `User_Organization`.`user_id`, `User_Organization`.`organization_id`, `Organization`.`id` AS `Organization.id` FROM `user_organization` AS `User_Organization` LEFT OUTER JOIN `organization` AS `Organization` ON `User_Organization`.`organization_id` = `Organization`.`id` WHERE `User_Organization`.`user_id` = '8d5340dd-958e-4935-a230-3995f170ecd1';
fiware-idm          | Executing (default): SELECT `Role_Assignment`.`id`, `Role_Assignment`.`role_organization`, `Role_Assignment`.`role_id`, `Role_Assignment`.`user_id`, `Role_Assignment`.`oauth_client_id`, `Role_Assignment`.`organization_id`, `User`.`id` AS `User.id`, `User`.`username` AS `User.username`, `User`.`email` AS `User.email`, `User`.`gravatar` AS `User.gravatar`, `Role`.`id` AS `Role.id`, `Role`.`name` AS `Role.name`, `Organization`.`id` AS `Organization.id`, `Organization`.`name` AS `Organization.name`, `Organization`.`description` AS `Organization.description`, `Organization`.`website` AS `Organization.website` FROM `role_assignment` AS `Role_Assignment` LEFT OUTER JOIN `user` AS `User` ON `Role_Assignment`.`user_id` = `User`.`id` LEFT OUTER JOIN `role` AS `Role` ON `Role_Assignment`.`role_id` = `Role`.`id` LEFT OUTER JOIN `organization` AS `Organization` ON `Role_Assignment`.`organization_id` = `Organization`.`id` WHERE (((`Role_Assignment`.`organization_id` = '5eebac29-331f-43e8-8f59-0c2ee971da79' AND `Role_Assignment`.`role_organization` = 'member')) OR `Role_Assignment`.`user_id` = '8d5340dd-958e-4935-a230-3995f170ecd1') AND `Role_Assignment`.`oauth_client_id` = 'ef7696c0-8782-4bea-8ea6-04c8885e8999' AND `Role_Assignment`.`role_id` NOT IN ('provider', 'purchaser');
fiware-idm          | GET /user?access_token=dfd82857865d2f41364cc5be90db008e595733ab 201 66.954 ms - 362

and redirect only the request.

fiware-pep          | 2018-12-05 15:05:44.356  - DEBUG: IDM-Client - Token created in application:  ef7696c0-8782-4bea-8ea6-04c8885e8999
fiware-pep          | 2018-12-05 15:05:44.356  - DEBUG: IDM-Client - PEP Proxy application:  ef7696c0-8782-4bea-8ea6-04c8885e8999
fiware-pep          | Refused to set unsafe header "cookie"
fiware-pep          | Refused to set unsafe header "accept-encoding"
fiware-pep          | 2018-12-05 15:05:44.356  - DEBUG: IDM-Client - PEP Proxy trusted_apps:  []
fiware-pep          | 2018-12-05 15:05:44.361  - INFO: Root - Access-token OK. Redirecting to app...
fiware-pep          | 2018-12-05 15:05:44.362  - DEBUG: HTTP-Client - Sending  GET  to: http://172.24.1.7:1026/v2/entities
fiware-pep          | 2018-12-05 15:05:44.362  - DEBUG: HTTP-Client -  Headers:  { 'x-auth-token': 'dfd82857865d2f41364cc5be90db008e595733ab',
fiware-pep          |   'fiware-servicepath': '/nodo',
fiware-pep          |   'cache-control': 'no-cache',
fiware-pep          |   'postman-token': 'c07bbff4-f938-4705-bf85-7d0513cd4777',
fiware-pep          |   'user-agent': 'PostmanRuntime/7.4.0',
fiware-pep          |   accept: '*/*',
fiware-pep          |   host: 'localhost:9091',
fiware-pep          |   cookie: 'session=eyJyZWRpciI6Ii8ifQ==; session.sig=TqcHvLKCvDVxuMk5xVfrKEP-GSQ',
fiware-pep          |   'accept-encoding': 'gzip, deflate',
fiware-pep          |   connection: 'keep-alive',
fiware-pep          |   'X-Nick-Name': '8d5340dd-958e-4935-a230-3995f170ecd1',
fiware-pep          |   'X-Display-Name': '',
fiware-pep          |   'X-Roles': '[{"id":"7ebb17af-85bd-4cb3-8673-2327871d1c69","name":"Desarrollador"}]',
fiware-pep          |   'X-Organizations': '[]',
fiware-pep          |   'X-Eidas-Profile': '{}',
fiware-pep          |   'x-forwarded-for': '::ffff:172.24.1.1' }
fiware-pep          | 2018-12-05 15:05:44.362  - DEBUG: HTTP-Client -  Body:  undefined
fiware-pep          | 2018-12-05 15:05:44.376  - DEBUG: HTTP-Client - Response:  200
fiware-pep          | 2018-12-05 15:05:44.376  - DEBUG: HTTP-Client -  Body:  []

Hi,

I'm testing the new version using docker and I've found that requesting an OAuth2 token results in an Internal Server Error (500).

I'm doing the request as follows:

$ curl --silent \
       --verbose \
       --request POST \
       --header 'Content-Type: application/x-www-form-urlencoded' \
       --user 8eeafb60-0329-4783-88b8-70b153d284a4:0fa3bfa4-04f1-4267-9dd5-9cfb4f0e859c \
       http://localhost:4000/oauth2/token \
       --data 'grant_type=password&[email protected]&password=test' | python -m json.tool

The --user parameter builds the Authorization header. This is the response from the server:

*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 4000 (#0)
* Server auth using Basic with user '8eeafb60-0329-4783-88b8-70b153d284a4'
> POST /oauth2/token HTTP/1.1
> Host: localhost:4000
> Authorization: Basic OGVlYWZiNjAtMDMyOS00NzgzLTg4YjgtNzBiMTUzZDI4NGE0OjBmYTNiZmE0LTA0ZjEtNDI2Ny05ZGQ1LTljZmI0ZjBlODU5Yw==
> User-Agent: curl/7.57.0
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 63
> 
} [63 bytes data]
* upload completely sent off: 63 out of 63 bytes
< HTTP/1.1 500 Internal Server Error
< Cache-Control: no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0
< Content-Type: application/json; charset=utf-8
< Content-Length: 106
< ETag: W/"6a-btMaO7w+XIrOGdCF5O6UdfVRJaA"
< Set-Cookie: session=eyJyZWRpciI6Ii8ifQ==; path=/; expires=Tue, 10 Apr 2018 11:43:05 GMT; httponly
< Set-Cookie: session.sig=TqcHvLKCvDVxuMk5xVfrKEP-GSQ; path=/; expires=Tue, 10 Apr 2018 11:43:05 GMT; httponly
< Date: Tue, 10 Apr 2018 10:43:05 GMT
< Connection: keep-alive
< 
{ [106 bytes data]
* Connection #0 to host localhost left intact
{
    "code": 500,
    "message": "Missing parameter: `user`",
    "name": "invalid_argument",
    "status": 500,
    "statusCode": 500
}

This same request was working as expected with the previous version of keyrock. When issuing the request, this is what appears on the logs:

Executing (default): SELECT `id`, `redirect_uri`, `scope`, `grant_type` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = '8eeafb60-0329-4783-88b8-70b153d284a4' AND `OauthClient`.`secret` = '0fa3bfa4-04f1-4267-9dd5-9cfb4f0e859c';
Executing (default): SELECT `id`, `username`, `password`, `scope` FROM `user` AS `User` WHERE `User`.`email` = '[email protected]' LIMIT 1;
Executing (default): SELECT `id`, `password` FROM `iot` AS `Iot` WHERE `Iot`.`id` = '[email protected]';
Executing (default): INSERT INTO `oauth_access_token` (`access_token`,`expires`,`oauth_client_id`,`user_id`,`iot_id`) VALUES ('86e8d7317cb31dc09635f32fc8a439ca863ba816','2018-04-10 11:43:05','8eeafb60-0329-4783-88b8-70b153d284a4','cee4882e-a309-4c65-b558-fc83731bffb4',NULL);
Executing (default): INSERT INTO `oauth_refresh_token` (`refresh_token`,`expires`,`oauth_client_id`,`user_id`,`iot_id`) VALUES ('d758c281af2d483ac04187e62392a41ed6166f7f','2018-04-24 10:43:05','8eeafb60-0329-4783-88b8-70b153d284a4','cee4882e-a309-4c65-b558-fc83731bffb4',NULL);
POST /oauth2/token 500 120.464 ms - 106

Also, if I check the database, the token seems to be there. I'm not sure if this is something that has changed and I'm doing it wrong or there is a bug in the code.

Thanks,

Regards.

I have installed fiware-idm keyrock(7.0.1) with docker. I am able to login with admin user. However, while creating new user, user is created, but on receiving confirmation link "I accept" link is not present. "I accept" is given as text and as a result user is not able to confirm. Kindly provide if anything else has to be added after docker installation of keyrock.

These are my docker logs for fiware idm where I can't find anything.

I have installed fiware-idm keyrock with docker. I am able to login with admin user. However, while creating new user, user is created, but on receiving confirmation link "I accept" link is not present. "I accept" is given as text and as a result user is not able to confirm. Kindly provide if anything else has to be added after docker installation of keyrock.

These are my docker logs for fiware idm where I can't find anything.

GET / 200 23.763 ms - 6132
GET /javascripts/jquery-3.2.1.min.js 304 1.796 ms - -
GET /stylesheets/bootstrap-tour.min.css 304 14.430 ms - -
GET /stylesheets/jquery.Jcrop.css 304 14.750 ms - -
GET /stylesheets/bootstrap-select.min.css 304 14.332 ms - -
GET /javascripts/bootstrap.min.js 304 0.481 ms - -
GET /javascripts/jquery.Jcrop.min.js 304 0.470 ms - -
GET /javascripts/jquery.bootpag.min.js 304 0.353 ms - -
GET /javascripts/bootstrap-select.min.js 304 1.490 ms - -
GET /javascripts/bootstrap-tour.min.js 304 1.412 ms - -
GET /javascripts/handle_csrf_token.js 304 1.477 ms - -
GET /javascripts/tour.js 304 1.573 ms - -
GET /javascripts/others/see_password.js 304 0.396 ms - -
GET /stylesheets/style.css 200 742.032 ms - -
GET /img/keyrock01.png 304 2.105 ms - -
GET /fonts/neotechstd/neotechstd-regular.woff 304 2.105 ms - -
GET /fonts/font-awesome/fa-solid-900.woff2 304 1.105 ms - -
GET /confirmation/ 200 6.843 ms - 3859
GET /javascripts/jquery-3.2.1.min.js 304 0.378 ms - -
GET /stylesheets/jquery.Jcrop.css 304 0.531 ms - -
GET /stylesheets/bootstrap-tour.min.css 304 0.486 ms - -
GET /stylesheets/bootstrap-select.min.css 304 3.070 ms - -
GET /javascripts/jquery.bootpag.min.js 304 2.317 ms - -
GET /javascripts/jquery.Jcrop.min.js 304 3.049 ms - -
GET /javascripts/bootstrap.min.js 304 3.143 ms - -
GET /javascripts/bootstrap-select.min.js 304 0.360 ms - -
GET /javascripts/bootstrap-tour.min.js 304 1.119 ms - -
GET /javascripts/handle_csrf_token.js 304 1.020 ms - -
GET /javascripts/tour.js 304 1.017 ms - -
GET /stylesheets/style.css 200 8.628 ms - 435232
GET /img/keyrock01.png 304 0.384 ms - -
GET /fonts/neotechstd/neotechstd-regular.woff 304 0.462 ms - -
Executing (default): SELECT id, username, description, website, image, gravatar, email, salt, password, date_password, enabled, admin, starters_tour_ended, eidas_id, extra, scope FROM user AS User WHERE User.email = '[email protected]' LIMIT 1;
Executing (default): UPDATE user_registration_profile SET activation_key='z14selz8lef',activation_expires='2018-12-18 18:00:10' WHERE user_email = '[email protected]'
POST /confirmation 302 81.498 ms - 66
GET /auth/login 200 6.714 ms - 6400
GET /javascripts/jquery-3.2.1.min.js 304 0.964 ms - -
GET /stylesheets/jquery.Jcrop.css 304 0.452 ms - -
GET /stylesheets/bootstrap-tour.min.css 304 0.773 ms - -
GET /stylesheets/style.css 304 2.765 ms - -
GET /stylesheets/bootstrap-select.min.css 304 0.401 ms - -
GET /javascripts/bootstrap.min.js 304 0.695 ms - -
GET /javascripts/jquery.Jcrop.min.js 304 0.728 ms - -
GET /javascripts/jquery.bootpag.min.js 304 0.636 ms - -
GET /javascripts/bootstrap-select.min.js 304 0.614 ms - -
GET /javascripts/bootstrap-tour.min.js 304 0.333 ms - -
GET /javascripts/handle_csrf_token.js 304 0.378 ms - -
GET /javascripts/tour.js 304 0.347 ms -

As you may know, it's not simple to build XACML policies using a simple text editor...
But for the moment this is the only way, because Keyrock only offer a text field to register an XACML policy in XML.
My question is : Is there an item in the roadmap of Keyrock to include an interface allowing to create interactively XACML policies like propose Balana from WSO2 ?

1. Create a user - username + password
2. Log in to the Keyrock website - username + password log in succeeds.
3. log in via OAuth2 Authcode - login succeeds.
4. Attempt to log in via OAuth2 Username + Password login fails

Cause

The verifyPassword() prototype is as shown:

User.prototype.verifyPassword = function(password) 

It is called with and additional parameter rather than just password

if (user.verifyPassword(user.salt, password)) 

On the Keyrock ReadtheDocs project, only version 7.0.0 of the versioned documentation is displayed

• Goto https://readthedocs.org/projects/fiware-idm/versions/
• Ensure that active checkmark is ticked against relevant release tags

i'm trying to dockerize the new version of keyrock in a project in progress . I have all components in a docker compose file but the file suggested here, presents this error:

Unable to connect to the database:  { SequelizeConnectionError: Host '172.18.1.6' is not allowed to connect to this MySQL server

I have been working on my own instance of Keyrock IDM and learning a lot about how to integrate my API with it.

I am having difficulty determining how to "log out" a user. If my application is run by a single user per browser it works fine but if one user logs out and another tries to log in before the last user's token has expired, they just get redirected as the user previously logged in.

Our plan is to allow web (remote) access to our API but also have terminals at our facility for users to use to access their account. We would need a properly functioning "log out" mechanism.

Is there a way to invalidate a token? Is there a way to log out a user? All I have tried gives me a "invalid csrf token" error message. Is there a way to acquire a valid CSRF token for my logout link to work properly?

Thank you in advance.

I'm trying to deploy IDM in a docker image and using directly the repository, in HTTP mode but the interface doesn't work, login with the admin user is impossible and the requests are not allowed or doesn't have access to the Mysql resources, generating an infine login loop.

Running it, in the HTTPS mode, i can access and create all, even using the keyrock API using simple HTTP request (like create users, etc... ),

but the problem appears with the Oauth requests specifically the token request, these require SSL certificates, resulting in a dificult development on a standards microcontrollers...
this is my request:

POST /oauth2/token HTTP/1.1
Host: idm-portal
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=password&[email protected]&password=1234

the terminal shows: POST /oauth2/token 403 0.802 ms - 13

and the answer is: ERROR:root:GET TOKEN ### SSL Required

a few weeks ago, to deploy IDM in HTTPS mode didn't imply that the Oauth requests work with the same protocol, need i to add other element in the config file or add something to disable the HTTPS on the Oauth requests or to get access to the mysql data in the HTTP mode ?

// HTTPS enable
config.https = {
    enabled: true,
    cert_file: 'certs/idm-2018-cert.pem',
    key_file: 'certs/idm-2018-key.pem',
    port: 443
};

Hi guys,
inside docker-compose there is a mistake on line 30:
image: fiware-idm
should be
image: fiware/idm

Thanks

I work in a containerized environment (docker)

First to be able to work locally, I modified and moved the Dockerfile in the root repo's directory, to copy the whole repo content instead of getting it from github, then it's possible to modify and rebuild the image without the need to commit on the github repo !

I've configured postgres instead of mysql, in the configuration file

I had to add pg and pg-hstore npm modules in packages.json:

"pg": "~7.4.1",
"pg-hstore": "~2.3.2", 

=> this was ok

I modified docker-entrypoint.sh for testing postgres => this is OK
the database is created, but the creation of tables fails (issue with
+ ' CHARSET utf8mb4 COLLATE utf8mb4_unicode_ci'
for string or text type fields) after removing all this in files from migrations directory,
I managed to get the tables created !
Then issues appeared for population with files from seeders directory:
the type UUID used for id must respect a particular syntax (https://www.postgresql.org/docs/current/static/datatype-uuid.html) that is checked by postgres, but the content of population files (201802190000-FillUserTable.js) use some simple strings like "admin", which is not a true UUID, then postgres don't accept to insert the data !

I didn't test with mysql, but I suppose that it work with such UUIDs, or because mysql auto-generate UUID from string, but with postgres it causes an issue.

I will try by activating the UUID generator in postgres to see if the problem remains.

But the CHARSET remains an issue.
copy to @Grenouille06

Is there a way to configure fiware-idm to allow only admin users to register new organizations and new applications?
I am trying to use fiware-idm as an id manager for an organization that has 5-6k employees, a dozen departments and several applications, and, as I understood from the docs, any user can register new organizations and apps. I am afraid that it can have some security implications.
Or should I create my own idm front-end and manage those cases using the REST API?
Thanks,

Carlos

Hello, I deployed IDM, PEPproxy, Orion and Cygnus using this new version of IDM but I could not deploy Authzforce in this version, nor in the previous version, someone has a guide?

i'm running IDM and PEPproxy using node.js and Orion, Cygnus and Authzfoce in a docker container, but i need an explanation about the policies and roles, and the next step after configure it and enable it in PEP and IDM

this is the error I get

npm install

[email protected] install /Users/joaquindiez/repositories/clarity/fiware-idm/fiware-idm/node_modules/mmmagic
node-gyp rebuild

CC(target) Release/obj.target/libmagic/deps/libmagic/src/apprentice.o
CC(target) Release/obj.target/libmagic/deps/libmagic/src/apptype.o
CC(target) Release/obj.target/libmagic/deps/libmagic/src/ascmagic.o
CC(target) Release/obj.target/libmagic/deps/libmagic/src/cdf.o
CC(target) Release/obj.target/libmagic/deps/libmagic/src/cdf_time.o
../deps/libmagic/src/cdf_time.c:101:12: error: variable has incomplete type 'struct tm'
struct tm tm;
^
../deps/libmagic/src/file.h:619:8: note: forward declaration of 'struct tm'
struct tm *gmtime_r(const time_t *, struct tm *);
^
../deps/libmagic/src/cdf_time.c:137:15: warning: implicit declaration of function 'mktime' is invalid in C99 [-Wimplicit-function-declaration]
ts->tv_sec = mktime(&tm);
^
../deps/libmagic/src/cdf_time.c:171:14: warning: implicit declaration of function 'ctime_r' is invalid in C99 [-Wimplicit-function-declaration]
char *ptr = ctime_r(sec, buf);
^
../deps/libmagic/src/cdf_time.c:171:8: warning: incompatible integer to pointer conversion initializing 'char *' with an expression of type 'int' [-Wint-conversion]
char *ptr = ctime_r(sec, buf);
^ ~~~~~~~~~~~~~~~~~
3 warnings and 1 error generated.
make: *** [Release/obj.target/libmagic/deps/libmagic/src/cdf_time.o] Error 1
gyp ERR! build error
gyp ERR! stack Error: make failed with exit code: 2
gyp ERR! stack at ChildProcess.onExit (/usr/local/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:258:23)
gyp ERR! stack at emitTwo (events.js:126:13)
gyp ERR! stack at ChildProcess.emit (events.js:214:7)
gyp ERR! stack at Process.ChildProcess._handle.onexit (internal/child_process.js:198:12)
gyp ERR! System Darwin 17.5.0
gyp ERR! command "/usr/local/bin/node" "/usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /Users/joaquindiez/repositories/clarity/fiware-idm/fiware-idm/node_modules/mmmagic
gyp ERR! node -v v8.11.1
gyp ERR! node-gyp -v v3.6.2
gyp ERR! not ok
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] install: node-gyp rebuild
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] install script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! /Users/joaquindiez/.npm/_logs/2018-05-05T08_20_00_575Z-debug.log
J10:fiware-idm joaquindiez$

Don't you think you should not allow creating organizations, with the same name?

the name is also a Unique Key in the system, and Having several Organizations with the same name could provoke confusion

Based on the reformulated definition of stale PRs, there are outstanding PRs over 3 months old which do not include a comment as to why they have not been merged or rejected.

Please update or close the PRs and close this issue once completed.

• MUST requirement from TSC.

Hello,

I have issues when i want to create permission in fiware-idm that will accept variables, i am using fiware-idm version 6.2 (latest version wont connect to atuhzforce).

Example permission v2/entities/{entityId} is there some syntax i could use to specify that entityId is variable and it is not set value.

Or any other example similar to this will result in not authorized, and will stop me from reaching orion service.

I open issue here but this could be maybe due to pep-proxy and way how it reads URL etc. If that is case i will reopen it in pep repository. Any suggestion would help thanks.

Related to FIWARE/tutorials.Roles-Permissions#6

If I attempt to create an application without a token_type in the payload, the application returns a 500 error (Internal Error). The error that appears in the logs is:

TypeError: Cannot read property 'includes' of undefined

The cause is here

 application.jwt_secret = req.body.application.token_types.includes('jwt')

Which assumes that token_types is present in the body. Since it wasn't required prior to 7.5.1 there is a high likelihood that any system that is upgrading will lack the new atribute.

There is another associated error if token_types is passed as an object {}. Line 383 assumes does have a null check, but assumes that the entry passed must be an array without checking:

 !body.application.token_types.every(r =>
          ['jwt', 'permanent'].includes(r)
        )

This also results in a 500 error

I just upgraded my IdM instance to the latest (v7.0.2) docker container. There seems to be a few issues that I am working out. One particularly notable described below.

If I am not mistaken, it would appear that the controller/api/user.js file is not saving the salt generated for the users' password in POST createUser fn(). When I use the API to create a user, the salt is returned in the success JSON data but it never gets stored in the user table in DB.

I did my best to track down the trouble area here:

I assume this is a simple oversight and easily fixed by someone in the know. I just wanted to mention this as I am not a node programmer (yet) and don't really want to learn a bunch of new stuff to try to make a pull request.

Any response is welcome. Cheers.

After sign-up process, I'd like that an user could login in my application without "manually" authorising it by myself, assigning some role to it (I want users to be able to log in without any role assigned by default).

However right now (using latest docker v7 image), an user sign-up, then try to login in my app: first the IDM asks if the user authorise to share its user information, then returns a 500 status when asking for user information from the application. Below is the complete log generated in the IDM side.

As far as I understand, the application should be able to get the user information from the IDM, after the user has authorised it, but still does not have any roles assigned to it. That was the behaviour in the previous version of the IDM. Is this a bug? How can I resolve it?

[sass]  skip: /oauth2/authorize nothing to do
Executing (default): SELECT `id`, `name`, `description`, `image`, `response_type`, `redirect_uri` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = '390f1cbf-0582-4d65-aa93-531c3aed9a3f';
Executing (default): SELECT `User_Authorized_Application`.`id`, `User_Authorized_Application`.`user_id`, `User_Authorized_Application`.`oauth_client_id`, `User`.`id` AS `User.id`, `User`.`username` AS `User.username`, `User`.`gravatar` AS `User.gravatar`, `User`.`image` AS `User.image` FROM `user_authorized_application` AS `User_Authorized_Application` LEFT OUTER JOIN `user` AS `User` ON `User_Authorized_Application`.`user_id` = `User`.`id` WHERE `User_Authorized_Application`.`user_id` = '21b177ff-a8a6-480b-881c-df26f411b7f1' AND `User_Authorized_Application`.`oauth_client_id` = '390f1cbf-0582-4d65-aa93-531c3aed9a3f' LIMIT 1;
Executing (default): SELECT `id`, `redirect_uri`, `scope`, `grant_type` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = '390f1cbf-0582-4d65-aa93-531c3aed9a3f';
Executing (default): INSERT INTO `oauth_authorization_code` (`authorization_code`,`expires`,`redirect_uri`,`oauth_client_id`,`user_id`) VALUES ('f5a94f6d020fb9e7217121845a4c17ecb2786d3a','2018-05-18 18:13:47','http://localhost:8000/oauth/complete/fiware/','390f1cbf-0582-4d65-aa93-531c3aed9a3f','21b177ff-a8a6-480b-881c-df26f411b7f1');
GET /oauth2/authorize?client_id=390f1cbf-0582-4d65-aa93-531c3aed9a3f&redirect_uri=http://localhost:8000/oauth/complete/fiware/&state=xnhfFPsMYMlA274yH8PXtCIBI91rNrpv&response_type=code 302 185.409 ms - 310
Executing (default): SELECT `id`, `redirect_uri`, `scope`, `grant_type` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = '390f1cbf-0582-4d65-aa93-531c3aed9a3f' AND `OauthClient`.`secret` = '9f2c4bde-4e3f-4f7d-8210-88a14802b9ae';
Executing (default): SELECT `OauthAuthorizationCode`.`authorization_code`, `OauthAuthorizationCode`.`oauth_client_id`, `OauthAuthorizationCode`.`expires`, `OauthAuthorizationCode`.`user_id`, `OauthAuthorizationCode`.`scope`, `User`.`id` AS `User.id`, `User`.`username` AS `User.username`, `User`.`description` AS `User.description`, `User`.`website` AS `User.website`, `User`.`image` AS `User.image`, `User`.`gravatar` AS `User.gravatar`, `User`.`email` AS `User.email`, `User`.`password` AS `User.password`, `User`.`date_password` AS `User.date_password`, `User`.`enabled` AS `User.enabled`, `User`.`admin` AS `User.admin`, `User`.`starters_tour_ended` AS `User.starters_tour_ended`, `User`.`extra` AS `User.extra`, `User`.`scope` AS `User.scope`, `OauthClient`.`id` AS `OauthClient.id`, `OauthClient`.`name` AS `OauthClient.name`, `OauthClient`.`description` AS `OauthClient.description`, `OauthClient`.`secret` AS `OauthClient.secret`, `OauthClient`.`url` AS `OauthClient.url`, `OauthClient`.`redirect_uri` AS `OauthClient.redirect_uri`, `OauthClient`.`image` AS `OauthClient.image`, `OauthClient`.`grant_type` AS `OauthClient.grant_type`, `OauthClient`.`response_type` AS `OauthClient.response_type`, `OauthClient`.`client_type` AS `OauthClient.client_type`, `OauthClient`.`scope` AS `OauthClient.scope`, `OauthClient`.`extra` AS `OauthClient.extra` FROM `oauth_authorization_code` AS `OauthAuthorizationCode` LEFT OUTER JOIN `user` AS `User` ON `OauthAuthorizationCode`.`user_id` = `User`.`id` LEFT OUTER JOIN `oauth_client` AS `OauthClient` ON `OauthAuthorizationCode`.`oauth_client_id` = `OauthClient`.`id` WHERE `OauthAuthorizationCode`.`authorization_code` = 'f5a94f6d020fb9e7217121845a4c17ecb2786d3a';
Executing (default): SELECT `authorization_code`, `expires`, `redirect_uri`, `scope`, `valid`, `extra`, `oauth_client_id`, `user_id` FROM `oauth_authorization_code` AS `OauthAuthorizationCode` WHERE `OauthAuthorizationCode`.`authorization_code` = 'f5a94f6d020fb9e7217121845a4c17ecb2786d3a';
Executing (default): INSERT INTO `oauth_access_token` (`access_token`,`expires`,`scope`,`oauth_client_id`,`user_id`,`iot_id`) VALUES ('ee0f28ddec4f1de9ae6b038a91e6a03d77ac0125','2018-05-18 19:08:47',NULL,'390f1cbf-0582-4d65-aa93-531c3aed9a3f','21b177ff-a8a6-480b-881c-df26f411b7f1',NULL);
Executing (default): INSERT INTO `oauth_refresh_token` (`refresh_token`,`expires`,`scope`,`oauth_client_id`,`user_id`,`iot_id`) VALUES ('5ff52e14888b0bb9beda2a06cc2a68169143f447','2018-06-01 18:08:47',NULL,'390f1cbf-0582-4d65-aa93-531c3aed9a3f','21b177ff-a8a6-480b-881c-df26f411b7f1',NULL);
POST /oauth2/token 200 113.385 ms - 158
[sass]  skip: /user nothing to do
Executing (default): SELECT `OauthAccessToken`.`access_token`, `OauthAccessToken`.`access_token` AS `accessToken`, `OauthAccessToken`.`expires` AS `accessTokenExpiresAt`, `OauthAccessToken`.`scope`, `User`.`id` AS `User.id`, `User`.`username` AS `User.username`, `User`.`email` AS `User.email`, `Iot`.`id` AS `Iot.id`, `OauthClient`.`id` AS `OauthClient.id`, `OauthClient`.`grant_type` AS `OauthClient.grant_type` FROM `oauth_access_token` AS `OauthAccessToken` LEFT OUTER JOIN `user` AS `User` ON `OauthAccessToken`.`user_id` = `User`.`id` LEFT OUTER JOIN `iot` AS `Iot` ON `OauthAccessToken`.`iot_id` = `Iot`.`id` LEFT OUTER JOIN `oauth_client` AS `OauthClient` ON `OauthAccessToken`.`oauth_client_id` = `OauthClient`.`id` WHERE `OauthAccessToken`.`access_token` = 'ee0f28ddec4f1de9ae6b038a91e6a03d77ac0125';
Executing (default): SELECT `User_Organization`.`id`, `User_Organization`.`role`, `User_Organization`.`user_id`, `User_Organization`.`organization_id`, `Organization`.`id` AS `Organization.id` FROM `user_organization` AS `User_Organization` LEFT OUTER JOIN `organization` AS `Organization` ON `User_Organization`.`organization_id` = `Organization`.`id` WHERE `User_Organization`.`user_id` = '21b177ff-a8a6-480b-881c-df26f411b7f1';
Executing (default): SELECT `az_domain`, `policy`, `version`, `oauth_client_id` FROM `authzforce` AS `Authzforce` WHERE `Authzforce`.`oauth_client_id` = '390f1cbf-0582-4d65-aa93-531c3aed9a3f' LIMIT 1;
Executing (default): SELECT `Role_Assignment`.`id`, `Role_Assignment`.`role_organization`, `Role_Assignment`.`role_id`, `Role_Assignment`.`user_id`, `Role_Assignment`.`oauth_client_id`, `Role_Assignment`.`organization_id`, `User`.`id` AS `User.id`, `User`.`username` AS `User.username`, `User`.`email` AS `User.email`, `User`.`gravatar` AS `User.gravatar`, `Role`.`id` AS `Role.id`, `Role`.`name` AS `Role.name`, `Organization`.`id` AS `Organization.id`, `Organization`.`name` AS `Organization.name`, `Organization`.`description` AS `Organization.description`, `Organization`.`website` AS `Organization.website` FROM `role_assignment` AS `Role_Assignment` LEFT OUTER JOIN `user` AS `User` ON `Role_Assignment`.`user_id` = `User`.`id` LEFT OUTER JOIN `role` AS `Role` ON `Role_Assignment`.`role_id` = `Role`.`id` LEFT OUTER JOIN `organization` AS `Organization` ON `Role_Assignment`.`organization_id` = `Organization`.`id` WHERE (0 = 1 OR `Role_Assignment`.`user_id` = '21b177ff-a8a6-480b-881c-df26f411b7f1') AND `Role_Assignment`.`oauth_client_id` = '390f1cbf-0582-4d65-aa93-531c3aed9a3f';
GET /user?access_token=ee0f28ddec4f1de9ae6b038a91e6a03d77ac0125 500 49.905 ms - 80

I´m trying to access the KeyrRock Api like in the url : https://keyrock.docs.apiary.io/#reference/keyrock-api/authentication/create-token-with-password-method.

For example to create a token with user and password, POST https://keyrock/v1/auth/tokens

The problem is than when a try to do a request post in a web browser to the API the browser automatically do an OPTIONS requets first, and the KeyRock can manage the OPTIONS requests because only allows POST,GET,HEAD,DELETE method.

How can I configure the fiware-idm proyect to solve this?
(I think that the problem can be for the CORS configuration)

A test suite is currently missing from the public codebase for this GE, and the tests should be run on CI. The standard testing framework is failing because no tests are present.

Related: PR #69

• Running tests on CI is a TSC SHOULD requirement

I have been working on discovering what I can get from the API in Keyrock. I have not had much luck.

It would appear that the API is using the wrong table to look up access tokens. The queries in the logfile show the use of the auth_token table for the token owner. It does seem that the actual access token data is, instead being stored in the oauth_access_token table.

Here is the query I am getting (in the log) for any v1 or v3 API endpoint (truncated for brevity):
Executing (default): SELECT AuthToken.access_token, AuthToken.expires, AuthToken.valid, AuthToken.user_id, AuthToken......
FROM auth_token AS AuthToken <<<------ should be oauth_access_token table?
LEFT OUT..... WHERE AuthToken.access_token = '5478.....ade';
GET /v1/users 404 3.952 ms - 70

I traced the relevant call to here:

I don't have a full development environment set up for this yet so I am unable to try to fix this on my own. I am currently running the IdM with a docker image.

Any ideas? Am I right that this is not the desired behaviour?

Yes I know the exisiting version numbers currently align, but could you please add an additional tags to indicate which version aligns with which FIWARE release- you can see a similar examples here:

IoT Agent JSON

• c70341d - FIWARE 7.5.1
• f799f10 - FIWARE_7.5
• 36ba12a - FIWARE_7.4

When I make a request to Wilma PEP Proxy Server using curl command curl -H "X-Auth-Token:afef5e33630a4e2b5fabfc61d707a4ed521ca497" http://localhost

Localhost is my sample App on IdM.

My config.js on Wilma is as follows:
var config = {};

// Used only if https is disabled
config.pep_port = 80;

// Set this var to undefined if you don't want the server to listen on HTTPS
config.https = {
enabled: false,
cert_file: 'cert/cert.crt',
key_file: 'cert/key.key',
port: 443
};

config.account_host = '172.30.66.40';

config.keystone_host = 'http://172.30.66.40';
config.keystone_port = 3000;

config.idm = {
host: '172.30.66.34',
port: 3000,
ssl: false
}

config.app_host = 'www.google.com';
config.app_port = 80;
// Use true if the app server listens in https
config.app_ssl = false;

// Credentials obtained when registering PEP Proxy in Account Portal
config.app_id = '46e9c3d3-5278-4b50-8cc9-109b74429961';
config.username = 'pep_proxy_d390109f-d310-4858-98c9-8b8535b24d80';
config.password = 'pep_proxy_ad3f3197-4bcd-443c-9ef8-7529937e2059';

// in seconds
config.cache_time = 300;

// if enabled PEP checks permissions with AuthZForce GE.
// only compatible with oauth2 tokens engine
//
// you can use custom policy checks by including programatic scripts
// in policies folder. An script template is included there
config.azf = {
enabled: false,
protocol: 'http',
host: '172.30.66.34',
port: 8080,
custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};

// list of paths that will not check authentication/authorization
// example: ['/public/*', '/static/css/']
config.public_paths = [];

// options: oauth2/keystone
config.tokens_engine = 'oauth2';

config.magic_key = undefined;

module.exports = config;

I get the following error in logs

Checking token with IDM...
2018-10-15 11:14:36.658 - DEBUG: HTTP-Client - Sending GET to: http://http://172.30.66.40:3000/v3/access-tokens/afef5e33630a4e2b5fabfc61d707a4ed521ca497
2018-10-15 11:14:36.658 - DEBUG: HTTP-Client - Headers: { 'X-Auth-Token': undefined, Accept: 'application/json' }
2018-10-15 11:14:36.658 - DEBUG: HTTP-Client - Body: undefined
2018-10-15 11:14:48.673 - ERROR: Server - Caught exception: SyntaxError: Unexpected token E

When I access the same url inthe browser: https://172.30.66.40/v3/access-tokens/afef5e33630a4e2b5fabfc61d707a4ed521ca497 I get the following response:
{"error":{"message":"Expecting to find X-Auth-token in requests","code":400,"title":"Bad Request"}}

Wilma version 5.4
IdM version 7.0

Can someone tell why is this happening?

i'm trying to change teh mysql port for the Database, but can't find them in a config file, do you know how to change the 3306 port to the 3366?

why to get the access token, the API only searchs into the Iot_agents if these don't have permissions into the application?

me:

Iot_Agent:

when i try to use any authorization method with an user credentials, always the result is 500. ¿which is the purpose to limit these access_tokens to the Iot Agents?

Hi,

The docker images available at Docker hub are still from the old version. Maybe you need to update the configuration on Docker hub or the webhooks for the repository?

Meanwhile I've built the image locally using node:slim as base instead of ubuntu to try to reduce the size of the image (I tried first node:alpine but found some dns related problems when running npm install). Is python needed to run the application or is it only needed to build some of the modules?

Thanks.

Regards.

In order to protect the access from IoT Agents to Orion Context Broker through PEP Proxy, having the possibility to create never expiring access tokens would be a good solution in order to minimize the delay in the data transport.

Two implementation alternatives are available:

1. Configuring expiration time from the user interface and API. This implies also the need of creating a new endpoint to revoke never expiring access tokens.
2. To introduce a scope that when it is used, the token is generated with never expiration policy.

in check_create_token_request your are making and strict validation header content-type to be equals

to application/json, but this is not correct as the http Standard allows to send this header as follows

Content-Type:application/json; charset=utf-8

so you validation is generating an error
Missing parameter: header Content-Type: application/json'

when the header is correctly sended

Hi @apozohue10!

Sorry for misusing github's issues. I'd just like to know whether there's anyone of you at the FIWAREGlobalSummit in Malaga?

When using the API to create roles and permissions, even though authzforce is enabled keyrock does not submit the policies to it. I need to use the web UI to force keyrock to submit the policies (and create the domain if it doesn't exists yet).

Thanks,

Regards.

Admin docs are very weak about how email server should be configured to send mails for example in sign up process.

    config.mail = {
        host: 'idm_host',
        port: 25,
        from: 'noreply@host'
    }

Is the host the smtp server?
What if my smtp serve uses authentication to send mails?

Using the Docker image: fiware/idm:7.5.1, we are trying to apply what it is explained in https://fiware-idm.readthedocs.io/en/latest/oauth/sign_out_oauth_service/index.html to log-out from our service but also from Keyrock.

Nevertheless, when we call DELETE auth/external_logout?client_id=<client_id>, we get 404 error.

after installation with Docker, users, organizations and applications image can't be saved, because the directory does not exist
should create the 'users', 'organizations' and 'applications' directories directly in the repository (public/img/), but are referenced in .gitignore file,
or to add in the Dockerfile

I am using the last version of the IdM - Keyrock (latest, v7.0.0). When I try to register an user based on yahoo email, the confirmation email is never received in yahoo. Additionally, if I check the functionality in gmail and outlook servers, the confirmation email is received but marked as SPAM mail.

Please click the edit button at the head of the repo and amend the description link and topics as shown (or similar):

Description:

OAuth2-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.

Link

https://fiware-idm.readthedocs.io/en/latest/

Topics

fiware, identity-management, access-control

• SHOULD requirement from the TSC.

When I try to enable permanent tokens in the UI of KeyRock I get:

I have also checked if it is possible to get the OAuth2 token from the API, and the result is: "Invalid scope: Requested scope is invalid"

Email confirmation link doesn't exist, it's a plain text.