Expected behaviour of the "Authorization Service Header" permission option

44 Views Asked by Rob At 13 February 2024 at 12:53

We're trying to get the PEP Proxy to check the permissions in the IDM and take the Fiware-Service / NGSILD-Tenant header into account.

The Wilma PEP Proxy allows us to set the PEP_PROXY_TENANT_HEADER env, which in turn sets the config.authorization.header config var. This together with Keyrock's permissions, which allows us to set the service header value (added through #157, if I'm correct):

(for screenshot, see github issue below)

But, unfortunately, it's not working.

When trying to fetch entities through the PEP Proxy, with an Oauth2 access token which has the above-mentioned permission, the access is denied: User access-token not authorized.

If we uncheck the "Use Authorization Service Header" value in the permission, it does work.

Now I've been digging through the code of both the IDM and the PEP Proxy to see what's happening under the hood. So far, I've followed it too:

I've been using v7.9.2 of both GE's. And, I've tried using the latest v8.4.0 versions of both, which also had interesting results. Instead of the request being denied when the permission has the "Use Authorization Service Header" enabled, it ignores it entirely, and allows any value to be passed. Making it possible to fetch entities from any tenant, regardless of the permissions configured value.

Hoping anyone has some idea of what might be the issue. And, whether the above-mentioned functionality is actually supported, as I haven't found any references in the documentation.

Thanks in advance!

Rob

GitHub issue: https://github.com/ging/fiware-idm/issues/352

Original Q&A

Expected behaviour of the "Authorization Service Header" permission option

There are 0 best solutions below

Related Questions in FIWARE

Related Questions in FIWARE-ORION

Related Questions in FIWARE-WILMA

Trending Questions

Popular # Hahtags

Popular Questions