Wirecloud中的Oauth2 [英] Oauth2 in Wirecloud

问题描述

哪种方法是在操作员中实施OAuth2授权的最佳方法?我们已使用PEP代理保护了后端API的安全，并且我们需要一个有效的令牌.用户登录后，wirecloud是否提供访问它的任何手段.

Which is the best way to implement OAuth2 authorization in an operator? We have secured our backend API with PEP proxy and we need a valid token. Does wirecloud provide any mean to access it once the user is logged in. Something like:

MashupPlatform.context.getOAuthToken()

我们尝试避免在操作员的逻辑中对用户凭据进行硬编码.

We try to avoid hardcoding user credentials in the logic of the operator.

推荐答案

是的，

尽管您无法从小部件/操作员读取OAuth2令牌，但可以使用WireCloud的代理并将其配置为将OAuth2令牌注入您的请求中.为此，您在发出请求时必须提供以下标头:

Although, you cannot read the OAuth2 token from widgets/operators, you can use the WireCloud's proxy and configure it to inject the OAuth2 token for you into your requests. To do so, you have to provide the following headers when making the request:

• X-FI-WARE-OAuth-Token的值应为true
• X-FI-WARE-OAuth-Header-Name是要通过OAuth2令牌添加到请求中的标头名称，在您的情况下为:X-Auth-Token，因为您正在使用PEP代理(尽管OAuth2的正确标头是Authorization).

• X-FI-WARE-OAuth-Token the value should be true
• X-FI-WARE-OAuth-Header-Name is the name of the header that is going to be added by to the requests with the OAuth2 token, in your case: X-Auth-Token as you are using the PEP proxy (Although the correct header for OAuth2 is Authorization).

请考虑到匿名用户没有有效的OAuth2令牌.另外，如果您正在运行WireCloud的自定义实例，则可以将其配置为支持多个auth后端.在这种情况下，某些用户将不会与IdM帐户相关联.您可以通过运行以下代码来检查当前登录的用户是否具有关联的IdM令牌:MashupPlatform.context.get('fiware_token_available');

Take into account that anonymous users doesn't have a valid OAuth2 token. Also, if you are running a custom instance of WireCloud it can be configured to support several auth backends. In that case, some user won't be associated with an IdM account. You can check if the currently logged user has an associated IdM token by running the following code: MashupPlatform.context.get('fiware_token_available');

对于使用仪表板所有者的OAuth2令牌，而不是使用当前登录用户的OAuth2令牌，也有实验性的支持.为此，请使用workspaceowner值添加X-FI-WARE-OAuth-Source标头.

There is also experimental support for using the OAuth2 token of the owner of the dashboard instead of using the OAuth2 token of the current logged user. To do so, add the X-FI-WARE-OAuth-Source header using the workspaceowner value.

示例:

MashupPlatform.http.makeRequest(url, {
    requestHeaders: {
        "X-FI-WARE-OAuth-Token": "true",
        "X-FI-WARE-OAuth-Header-Name": "X-Auth-Token",
        "X-FI-WARE-OAuth-Source": "workspaceowner"
    },
    ...
});

未来注意事项:

在生产环境中，出于安全原因，应使用https为使用OAuth2身份验证的服务提供服务.因此，我们正在考虑将检查添加到WireCloud代理中，以便在最终URL使用https架构的情况下仅注入OAuth2令牌.唯一的例外可能是与WireCloud相同的Intranet中可用的服务.

In a production environment, services using the OAuth2 authentication should be served using https for security reasons. So we are considering adding checks into the WireCloud proxy for only injecting OAuth2 tokens if the final URL uses the https schema. The only exception for this could be services available in the same intranet that WireCloud.

这篇关于Wirecloud中的Oauth2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！