We use proprietary and third party´s cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to configure Keyrock to access a Restful API behind Wilma Proxy

Hi, I'm developing an authentication/authorization scheme based on 3 Fiware Enablers: Keyrock IdM (v5.1.0), Wilma PEP Proxy (v4.4.1), AuthZForce (v4.4.1a). I'm using this scheme to protect another Fiware Enabler: POI Data Provider.

I configured the components in order to allow a client to access a resource on the POI Data provider, sending a Restful http request to PEP Proxy that: verify the client's token; check his authorization to access the resource against AuthZForce and redirects the client to the resource if AuthZForce permit it.

For example, if I want to access myResource on myMachine I have to send the following requst to myProxyMachine:

curl -H "X-Auth-Token: mytoken" -X GET "http://myProxyMachine:80/myResource"

It works fine as PEP Proxy redirects me to myResource on myMachine.

But if I want to do a Restful request, with multiple parameters, for example:

curl -H "X-Auth-Token: mytoken" -X GET "http://myProxyMachine:80/myResource?param1=1&param2=2"

It doesn't work as AuthZForce deny the access to the resource.

I think this is caused by Keyrock, because I created a permission for the client to do a GET on myResource, but this is not enough, because the URL of the request have other parameters and doesn't match with the rule. As the client can do multiple different requests, based on the parameters I just can't create multiple permissions on Keyrock.

So, can anyone suggest how to create a permission on Keyrock to allow a client to GET myResource not regarding the other parameters? I didn't find how to achieve this in the documentation.

Thanks in advance, Michele.