How to provision a Dockerized secure IoT Agent with Keyrock?

Question

I'm failing to find this information within the existing documentation - either permanent or non-permanent tokens.

Using Keyrock 7.8, Ultralight 1.11.0 (though any current agent will do)

The following Docker parameters are set:

      - IOTA_AUTH_ENABLED=true
      - IOTA_AUTH_TYPE=oauth2
      - IOTA_AUTH_HEADER=Authorization
      - IOTA_AUTH_HOST=keyrock
      - IOTA_AUTH_PORT=3000
      - IOTA_AUTH_URL=http://keyrock:3000
      - IOTA_AUTH_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp
   #  - IOTA_AUTH_PERMANENT_TOKEN=true

The default Docker configuration is used in the image, so no provisioning group types are created.

I am able to provision a trusted group as shown:

curl -X POST \
  http://iot-agent:4041/iot/services \
  -H 'fiware-service: openiot' \
  -H 'fiware-servicepath: /' \
  -d '{
 "services": [
   {
     "apikey":      "4jggokgpepnvsb2uv4s40d59ov",
     "cbroker":     "http://orion:1026",
     "entity_type": "Motion",
     "resource":    "/iot/d",
     "trust": "<motn-auth-token>"
   }
 ]
}'

Question 1 - how do I generate the trust token within Keyrock.

When I provision the device

curl -X POST \
  http://iot-agent:4041/iot/devices \
  -H 'Content-Type: application/json' \
  -H 'fiware-service: openiot' \
  -H 'fiware-servicepath: /' \
  -d '{
 "devices": [
   {
     "device_id":   "motion001",
     "entity_name": "urn:ngsi-ld:Motion:001",
     "entity_type": "Motion",
     "timezone":    "Europe/Berlin",
     "attributes": [
       { "object_id": "c", "name":"count", "type":"Integer"}
      ],
      "static_attributes": [
         {"name":"refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"}
      ]
   }
 ]
}
'

I receive the following error in the IoT Agent:

{
    "name": "SECURITY_INFORMATION_MISSING",
    "message": "Some security information was missing for device type:Motion"
}

And the following in the Keyrock logs:

Fri, 06 Dec 2019 14:13:52 GMT idm:oauth2-model_oauth_server -------getClient-------
Executing (default): SELECT `id`, `redirect_uri`, `token_types`, `jwt_secret`, `scope`, `grant_type` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = 'tutorial-dckr-site-0000-xpresswebapp' AND `OauthClient`.`secret` = 'tutorial-lcal-host-0000-clientsecret';
Fri, 06 Dec 2019 14:13:52 GMT idm:oauth_controller Error  { invalid_client: Invalid client: client is invalid

Question 2: What additional information needs to be supplied?

Answer 1

How do I generate the trust token within Keyrock.

Trust tokens are described as access tokens within in the Keyrock documentation, Firstly set up the client application to generate permanent tokens:

This can also be done programmatically by using the /v1/applications endpoint.

Request

curl -iX POST \
  'http://keyrock:3005/v1/applications' \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-token: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' \
  -d '{
  "application": {
    "name": "Tutorial Application",
    "description": "FIWARE Application protected by OAuth2 and Keyrock",
    "redirect_uri": "http://tutorial/login",
    "url": "http://tutorial",
    "grant_type": [
      "authorization_code",
      "implicit",
      "password"
    ],
    "token_types": ["permanent"]
  }
}'

To generate a permanent trust token, ensure the Keyrock application has been configured to offer permanent tokens and log in as an authorised user using the standard Authorization: Basic header holding a base 64 concatenation of the client id and secret. The parameter scope=permanent is added to retrieve permanent tokens when available. The response contains an access_token (a.k.a. Trust Token) which can be used for device provisioning.

Request

curl -X POST \
  http://keyrock:3005/oauth2/token \
  -H 'Accept: application/json' \
  -H 'Authorization: Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==' \
  -d 'username=alice-the-admin@test.com&password=test&grant_type=password&scope=permanent'

Response

{
    "access_token": "e37aeef5d48c9c1a3d4adf72626a8745918d4355",
    "token_type": "Bearer",
    "scope": ["permanent"]
}

Setting up the IoT Agent to use Keyrock and a PEP proxy

The following additional Docker parameters are required

      - IOTA_CB_HOST=orion-proxy
      - IOTA_CB_PORT=${ORION_PROXY_PORT}

      - IOTA_AUTH_ENABLED=true
      - IOTA_AUTH_TYPE=oauth2
      - IOTA_AUTH_HEADER=Authorization
      - IOTA_AUTH_HOST=keyrock
      - IOTA_AUTH_PORT=${KEYROCK_PORT}
      - IOTA_AUTH_URL=http://keyrock:${KEYROCK_PORT}
      - IOTA_AUTH_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp
      - IOTA_AUTH_CLIENT_SECRET=tutorial-dckr-host-0000-clientsecret
      - IOTA_AUTH_PERMANENT_TOKEN=true
      - IOTA_AUTH_TOKEN_PATH=/oauth2/token

IoT Agent - provisioning a trusted service group

The Access token (also known as a Trust Token) must be added to the service group. This is held in the trust attribute and repeats the token retrieved in the step above

Request

curl -iX POST \
  'http://iot-agent:4041/iot/services' \
  -H 'Content-Type: application/json' \
  -H 'fiware-service: openiot' \
  -H 'fiware-servicepath: /' \
  -d '{
 "services": [
   {
     "apikey":      "4jggokgpepnvsb2uv4s40d59ov",
     "cbroker":     "http://orion:1026",
     "entity_type": "Motion",
     "resource":    "/iot/d",
     "trust": "e37aeef5d48c9c1a3d4adf72626a8745918d4355"
   }
 ]
}'

Once a trusted service group has been created, a device can be provisioned in the usual manner

Request

curl -iX POST \
  'http://iot-agent:4041/iot/devices' \
  -H 'Content-Type: application/json' \
  -H 'fiware-service: openiot' \
  -H 'fiware-servicepath: /' \
  -d '{
 "devices": [
   {
     "device_id":   "motion001",
     "entity_name": "urn:ngsi-ld:Motion:001",
     "entity_type": "Motion",
     "timezone":    "Europe/Berlin",
   }
 ]
}
'