Fiware KeyRock API错误:未返回组织的成员身份
[英]Fiware KeyRock API bug: Membership of organisations not returned
问题描述
As part of the FINISH accelerator we are using FIWARE KeyRock and Wirecloud. 
作为FINISH加速器的一部分,我们使用FIWARE KeyRock和Wirecloud。 Currently we are using the Fiware labs global instance to investigate. 目前,我们正在使用Fiware实验室全球实例进行调查。
We want to restrict our system so that users can only view data that belongs to the organisations of which they are a member. 我们希望限制我们的系统,以便用户只能查看属于他们所属组织的数据。
The following flow seems logical, but correct me if i am wrong: 以下流程似乎合乎逻辑,但如果我错了,请纠正我:
- A user logs into Wirecloud and is directed through a KeyRock login screen. 用户登录Wirecloud并通过KeyRock登录屏幕进行定向。
- A Wirecloud Widget gets an access token from Wirecloud environment. Wirecloud Widget从Wirecloud环境获取访问令牌。 The access token was created when the user logged in. 访问令牌是在用户登录时创建的。
- The Wirecloud widget looks up the organisations and roles that a user is member of. Wirecloud小部件查找用户所属的组织和角色。 Based on this it adds organisation names to its query. 基于此,它将组织名称添加到其查询中。
- The Wirecloud widget queries a webservice (Orion or otherwise) using the query it just created. Wirecloud小部件使用刚刚创建的查询来查询Web服务(Orion或其他)。
- We put the Wilma PEP proxy between the Wirecloud Widget and the webservice to validate that the user is a member of the organisations in the query. 我们将Wilma PEP代理放在Wirecloud Widget和webservice之间,以验证用户是查询中组织的成员。
PROBLEM: We can query user information from KeyRock using the https://account.lab.fiware.org/user?access_token=XXXXXXXXXXX call. 问题:我们可以使用https://account.lab.fiware.org/user?access_token=XXXXXXXXXXX调用从KeyRock查询用户信息。 But that does not contain any information about the organisations that the user is a member of according to the KeyRock web interface. 但是,根据KeyRock Web界面,它不包含有关用户所属组织的任何信息。 The organisations element is an empty array. organizations元素是一个空数组。 We get a bunch of roles in the json response, but none of them is the "members" role that you assign to users from the "Manage your organization members" screen in KeyRock. 我们在json响应中获得了一堆角色,但它们都不是您从KeyRock中的“管理组织成员”屏幕分配给用户的“成员”角色。
Some digging revealed that the Keystone instance running on Fiware labs contains the information (assuming that a Keystone project = KeyRock organisation). 一些挖掘表明,在Fiware实验室上运行的Keystone实例包含信息(假设Keystone项目= KeyRock组织)。 However the access token provided by KeyRock is somehow not valid on the Keystone API. 但是,KeyRock提供的访问令牌在Keystone API上无论如何都是无效的。 The API we used was accessible here: http://cloud.lab.fiware.org:4730/v3/ Getting a new access token from the Keystone API is not what we want, because that would be a different access token than Wirecloud has obtained, which would require some kind of proxy to log in again and retrieve the organisation membership. 我们使用的API在这里可以访问: http ://cloud.lab.fiware.org:4730 / v3 /从Keystone API获取新的访问令牌不是我们想要的,因为这将是与Wirecloud不同的访问令牌获得,这将需要某种代理再次登录并检索组织成员资格。 That rather defeats the point of passing an access token. 这相当违背了传递访问令牌的要点。
This seems to be a bug in the KeyRock API on the fiware labs instance. 这似乎是fiware实验室实例上KeyRock API中的一个错误。 Or am i missing something here? 或者我错过了什么? Or will this problem magically go away if we install keyrock on our own server? 或者如果我们在自己的服务器上安装keyrock,这个问题会神奇地消失吗?
Thanks for any help, Robin 谢谢你的帮助,罗宾
1 个解决方案
解决方案1
1 已采纳 2016-04-18 11:04:40
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.