InvalidAuthenticationToken while trying to access Orion-LD #155
Description
Dear all,
I would like to understand what is not working in the overall system I set up. The idea is just protecting Orion-LD with a pep-proxy, without the use of specific portals and apps. I will provide a series of screenshots, from the docker-compose configuration to all logs.
Let me premise that the idea of the configuration is to provide the minimum set of components necessary to allow users to GET/PATCH some of the ORION resources, such as "entities" and "subscriptions" based on a role assigned to a user. To achieve this, I made a docker-compose with orion, keyrock and wilma.
- The first doubt starts here: do I need level 2 (basic authorization) or a level 3 (ABAC authorization) to achieve this? Because it seems quite confusing. From what I understood, to achieve User+HTTP Verb+Resource access it is sufficient a basic authorization, however from others tutorial it seems I need to set up ABAC.
To cut through the bull, I added AuthZforce to the docker compose. The configuration is the following one:
All components set up correctly, so I am sure they started correctly.
The first thing I did is opening the keyrock GUI and create an user, an application, a role and two permissions:
with authorized users:
with role:
and permissions:
Once set up everything, I noticed that AuthZForce created successfully its policy in a folder.
Then I opened postman, trying to follow different routes for accessing orion. I premise that I'm now showing the administrator user, however the same problem happened with the newly-created user.
The basic flow:
Not working, however with this token I am able to query keyrock APIs (i.e obtaining information) about pep-proxy of the app, roles, permissions, etc:
Oauth2 flow:
Not working, neither for searching pep-proxy info:
Then, the following screenshots are about docker logs:
- Keyrock: creation of an oauth2 token + test access resource
- Wilma: authorizing user
- AuthZForce: Doing nothing after starting
From what I understood, the PEP proxy is not working properly, for some reason. Any clue? I hope I described well the problem, if you think this should be an issue of other repositories, please, feel free to move it.
Thanks everyone.