User toker not authorized #9
Comments
|
Hi, Check that the 'pepproxy' user exists in Keystone. If I recall correctly, the default installation won't create any user for the PEP Proxy to use, you have to create one yourself. If you are using the last version of the IdM, I added an option in the application detail page to automatically register a PEP Proxy for your application. You can find it right over the OAuth2.0 Credentials panel. Let me know if this solves the issue. |
|
Hi Enrique, pepproxy exists in Keystone, see below | pepproxy | pepproxy | {"username": "pepproxy", "description": "pepproxy", "email": "pepproxy@yahoo.com"} | $6$rounds=40000$uH4kerx8dq5Mar6G$FxjngArx2Fgj5eRJI.FJcqcdqPio8dtC7M8FM5oU1x/e1BB/pZSKEaOW3Y0NArruRnhVVSIS8WXdrC6G4.oSi/ | 1 | default | 529e3c7b3e364f8c8c59d331a8a75b58 | And in IDM appears this as a PEP Proxy, should I remove it? I guess this is a default PEP
Thanks |
|
I guess you can use any of the two pepproxy users. I would use the one created in the application page, as is the new intended behaviour, but thats up to you. Can you successfully authenticate against Keystone with the configured PEP Proxy user? It looks like this is working fine, but just to be sure. Another possible mistake is that you might be using a Keystone token when you have the 'oauth2' token engine configured. Make sure the token you are using to authenticate your call against the PEP Proxy is the OAuth2.0 token provided ("access_token": "0xDy1ebB13V1VNJ35boJkBdjxwrmgE"). It can be tricky to work with the two types of tokens and is easy to mix them. As a side note, be careful not to accidentally reveal your OAuth2.0 secret! As you are running in localhost I don't think there is any problem but be careful ;) Cheers, |
|
Thanks Enrique. I guess what the mistake is. I was using refresh_token not access_token. By the way, what is the purpose of refresh_token? Thanks for your help |
|
Refresh token is a long lasting credential that allows you to obtain a new access token once the first one is expired with out needing to go through the whole OAuth2.0 flow again. It has a validity of around 2 weeks and once used to obtain a new access token is invalidated. You should keep it secret ;) I'm glad its working, I'll close the issue then. |
Hi,
I have deployed wilma and idm in two different servers.
Following documentation, my application asked for a code to IDM that is used in PEP Proxy access to get the token. Please see below
[Thu Sep 10 15:52:14 2015] [error] DEBUG:idm_logger:API_KEYSTONE: POST to http://127.0.0.1:5000/v3/OS-OAUTH2/access_token with body redirect_uri=http://www.google.com&grant_type=authorization_code&code=ohcIKEnZ3ZnjhpQzZqz1h8Phzff76B and headers {'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic ZTkwNjJiNGFlNTNlNDY2YmEwOGEwZGRmZDk2NGJkYzc6ZTEwNzkyMDMyODMxNDk0NGFhZGZlZTI5ZTNjYjFiNGU='}
curl -X POST -v http://127.0.0.1/oauth2/token
-u "e9062b4ae53e466ba08a0ddfd964bdc7:e107920328314944aadfee29e3cb1b4e"
-d "redirect_uri=http://www.google.com"
-d "grant_type=authorization_code"
-d "code=ohcIKEnZ3ZnjhpQzZqz1h8Phzff76B"
{"access_token": "0xDy1ebB13V1VNJ35boJkBdjxwrmgE", "expires_in": 3600, "token_type": "Bearer", "state": "xyz", "scope": "all_info", "refresh_token": "d0tmVk5TJXeNiZuI996ipwQWKqfocl"}
And this token is used to access to PEP Proxy
curl --header "X-Auth-Token: d0tmVk5TJXeNiZuI996ipwQWKqfocl" http://localhost
But the answer is
[TOKEN] Checking token with IDM...
User access-token not authorized
This is my config.js
config.account_host = 'http://192.168.90.20';
config.keystone_host = '192.168.90.20';
config.keystone_port = 5000;
config.app_host = '92.222.171.203';
config.app_port = '80';
config.username = 'pepproxy';
config.password = 'pepproxy';
config.check_permissions = false;
// options: oauth2/keystone
config.tokens_engine = 'oauth2';
Do you have any idea about what could be wrong?
The text was updated successfully, but these errors were encountered: