Expected behaviour of the "Authorization Service Header" permission option #352
Description
Hey guys,
We're trying to get the PEP Proxy to check the permissions in the IDM and take the Fiware-Service / NGSILD-Tenant header into account.
The Wilma PEP Proxy allows us to set the PEP_PROXY_TENANT_HEADER env, which in turn sets the config.authorization.header config var. This together with Keyrock's permissions, which allows us to set the service header value (added through #157, if I'm correct):
But, unfortunately, it's not working.
When trying to fetch entities through the PEP Proxy, with an Oauth2 access token which has the above-mentioned permission, the access is denied: User access-token not authorized.
If we uncheck the "Use Authorization Service Header" value in the permission, it does work.
Now I've been digging through the code of both the IDM and the PEP Proxy to see what's happening under the hood. So far, I've followed it too:
- The proxy getting the configured header value from the request
- The proxy adding the
&authorization_service_headerquery parameter with the above fetched value to the request, which goes to the IDM - The IDM fetching the
authorization_service_headerquery parameter and passing it into the authenticate methods - The IDM checking the user permission, and when the permission has the
use_authorization_service_headerenabled, checking theauthorization_service_headervalue against theoptions.service_header
I've been using v7.9.2 of both GE's. And, I've tried using the latest v8.4.0 versions of both, which also had interesting results. Instead of the request being denied when the permission has the "Use Authorization Service Header" enabled, it ignores it entirely, and allows any value to be passed. Making it possible to fetch entities from any tenant, regardless of the permissions configured value.
Hoping anyone has some idea of what might be the issue. And, whether the above-mentioned functionality is actually supported, as I haven't found any references in the documentation.
Thanks in advance!
Rob