We use proprietary and third party´s cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
Ask Your Question

How to configure Keyrock to access a Restful API behind Wilma Proxy

asked 2016-02-11 11:21:40 +0200

michele gucciardo gravatar image

Hi, I'm developing an authentication/authorization scheme based on 3 Fiware Enablers: Keyrock IdM (v5.1.0), Wilma PEP Proxy (v4.4.1), AuthZForce (v4.4.1a). I'm using this scheme to protect another Fiware Enabler: POI Data Provider.

I configured the components in order to allow a client to access a resource on the POI Data provider, sending a Restful http request to PEP Proxy that: verify the client's token; check his authorization to access the resource against AuthZForce and redirects the client to the resource if AuthZForce permit it.

For example, if I want to access myResource on myMachine I have to send the following requst to myProxyMachine:

curl -H "X-Auth-Token: mytoken" -X GET "http://myProxyMachine:80/myResource"

It works fine as PEP Proxy redirects me to myResource on myMachine.

But if I want to do a Restful request, with multiple parameters, for example:

curl -H "X-Auth-Token: mytoken" -X GET "http://myProxyMachine:80/myResource?param1=1&param2=2"

It doesn't work as AuthZForce deny the access to the resource.

I think this is caused by Keyrock, because I created a permission for the client to do a GET on myResource, but this is not enough, because the URL of the request have other parameters and doesn't match with the rule. As the client can do multiple different requests, based on the parameters I just can't create multiple permissions on Keyrock.

So, can anyone suggest how to create a permission on Keyrock to allow a client to GET myResource not regarding the other parameters? I didn't find how to achieve this in the documentation.

Thanks in advance, Michele.

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted

answered 2016-02-12 03:21:10 +0200

aalonsog gravatar image

Hi Michele,

many thanks for the report. It seems there is a problem in how PEP checks the requests. It should check only the resource and not the parameters. In your case it should check if the user has access to myResource, independently of the parameters. I will fix it ASAP.


edit flag offensive delete link more


Hi Alvaro, thanks for fast reply. There is another issue about PEP. When PEP receives the json response from AuthZForce, it looks for a key "Response" but it doesn't find it because AuthZforce sends slightly different keys. For example:{ 'ns5:Response':'....'}. ns1,.., ns5 are put before "Response".

michele gucciardo gravatar imagemichele gucciardo ( 2016-02-12 06:27:03 +0200 )edit
Login/Signup to Answer

Question Tools

1 follower


Asked: 2016-02-11 11:21:40 +0200

Seen: 11,065 times

Last updated: Feb 12 '16