As part of the FINISH accelerator we are using FIWARE KeyRock and Wirecloud. Currently we are using the Fiware labs global instance to investigate.
We want to restrict our system so that users can only view data that belongs to the organisations of which they are a member.
The following flow seems logical, but correct me if i am wrong:
PROBLEM: We can query user information from KeyRock using the https://account.lab.fiware.org/user?access_token=XXXXXXXXXXX call. But that does not contain any information about the organisations that the user is a member of according to the KeyRock web interface. The organisations element is an empty array. We get a bunch of roles in the json response, but none of them is the "members" role that you assign to users from the "Manage your organization members" screen in KeyRock.
Some digging revealed that the Keystone instance running on Fiware labs contains the information (assuming that a Keystone project = KeyRock organisation). However the access token provided by KeyRock is somehow not valid on the Keystone API. The API we used was accessible here: http://cloud.lab.fiware.org:4730/v3/ Getting a new access token from the Keystone API is not what we want, because that would be a different access token than Wirecloud has obtained, which would require some kind of proxy to log in again and retrieve the organisation membership. That rather defeats the point of passing an access token.
This seems to be a bug in the KeyRock API on the fiware labs instance. Or am i missing something here? Or will this problem magically go away if we install keyrock on our own server?
Thanks for any help, Robin
you have to follow the steps explained here but using the specific organization. Probably you have missed the "Authorize" step