Unable to authenticate users for an app in Fiware Lab KeyRock instance

Question

I have registered two users in Keyrock (the global fiware labs instance at https://account.lab.fiware.org)

• User Robin has an organisation Robin-Cloud
• User Robin is owner of an application Babbler
• The application Babbler has authorized users "Robin" and "Robin viewer" (see screenshot)
• User "Robin viewer" is a member of the same organisation as user "Robin"
• Just to be sure i authorized the whole organisation that "Robin viewer" belongs to.
• Both users have the same roles.

I can authenticate user "Robin" using a shell script to get an Access token. In the shell script i pass in the Applications Client ID and Client secret. I also pass in the username and password of User "Robin". The shell script is here (altered copy of this https://raw.githubusercontent.com/Bitergia/fiware-chanchan-docker/master/images/pep-wilma/4.3.0/auth-token.sh ):

#!/bin/bash

if [ $# -lt 2 ] ; then
    echo "auth-token: missing parameters."
    echo "Usage: auth-token <user-email> <password>"
    exit 1
fi

# Retrieve X-Auth-Token to make request against the protected resource

function get_token () {

    if [ $# -lt 2 ] ; then
    echo "get_token: missing parameters."
    echo "Usage: get_token <user-email> <password>"
    exit 1
    fi

    local _user=$1
    local _pass=$2

    # Retrieve Client ID and client Secret Automatically

    CLIENT_ID="e2c095aa42414e75b9ac4d760f4c625a"
    CLIENT_SECRET="****"

    # Generate the Authentication Header for the request

    AUTH_HEADER="$(echo -n ${CLIENT_ID}:${CLIENT_SECRET} | base64)"

    # Define headers

    CONTENT_TYPE="\"Content-Type: application/x-www-form-urlencoded\""
    AUTH_BASIC="\"Authorization: Basic ${AUTH_HEADER}\""

    # Define data to send

    DATA="'grant_type=password&username=${_user}&password=${_pass}&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}'"

    # Create the request

    REQUEST="curl -s --insecure -i --header ${AUTH_BASIC} --header ${CONTENT_TYPE} -X POST https://account.lab.fiware.org/oauth2/token -d ${DATA}"
    XAUTH_TOKEN="$(eval ${REQUEST})"
    echo "Request: ${REQUEST}"
    echo "X-Auth-Token for '${_user}': ${XAUTH_TOKEN}"

}

get_token $1 $2

However

I cannot get an access token for User "Robin viewer". The message i get from Keyrock is:

{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

I assumed authorizing user "Robin viewer" for the Babbler app in the Keyrock user interface would be enough. What am i missing here?

Answer 1

It seems the /oauth2/token?grant_type=password combination is only meant for resource owners, which is exactly what i am seeing.

So it seems we are limited to requesting an access token with this: /oauth2/authorize?response_type=token&client_id=....&redirect_uri=....

Which forces us through the web login screen of the Horizon Front-End. We are starting the login flow from a smartphone so this is far from ideal because the Horizon screens are NOT responsive at all :(

[Edit]

The error seems to be due to special characters in the email address that were not encoded (we have a plus sign because gmail ignores anything after the plus, allowing us to create multiple email addresses and still receive them at a real email address: e.g. username+test@gmail.com arrives at username@gmail.com).

So our problem seems to have gone away (or maybe the latest Keyrock update on the global fiware instance solved it for us?). We can now use /oauth2/token?grant_type=password after all.