FIWARE how to access KeyRock IdM token from Wirecloud widget

In the global Wirecloud instance i have a widget which uses the KeystoneAPI mentioned here: https://wirecloud.readthedocs.io/en/stable/development/object_storage_api/

So far so good.

However now i want to move to KeyRock for authentication. I still want to pass tokens from my wirecloud widget to backend services like the Wilma PEP proxy which is not connected to KeyRock as well. But the KeystoneAPI seems to be tied to Keystone (hence the name probably).

Is there a KeyRockAPI accessible from Wirecloud widgets? How can a widget obtain the KeyRock OAuth2 token the user logged in with? I cannot find any documentation on this.

Solution

WireCloud doesn't allow widgets and operators to read the OAuth2 token assigned to the user, but it provide support for injecting the token into HTTP requests if they go through the WireCloud's proxy. This injection is controlled by several HTTP headers, this is an example:

MashupPlatform.http.makeRequest(url, {
    requestHeaders: {
        "X-FI-WARE-OAuth-Token": "true",
        "X-FI-WARE-OAuth-Header-Name": "X-Auth-Token"
    },
    ...
});

You can find more info about how to use this feature in the FIWARE Academy course, more specifically in the 3.1.8. Accessing third-party services using IdM tokens section (take into account that this document is the same you pointed in your comments, but in html format ;) ).

Answers to the others questions formulated as comments:

Installed docker containers of KeyRock and Wirecloud, tried out the objectstorage demo widget, which failed to retrieve an authentication token. Traced the problem to %idm_token% not being filled in by the python code, presumably in plugins.py because it looks for an AUTHENTICATION_BACKEND of 'fiware' whereas the documentation states to include 'wirecloud.fiware.social_auth_backend.FIWAREOAuth2'.

I recommend you to create a new question in StackOverflow to tackle this problem. Please, provide more details on your configuration.
So my authentication token from wirecloud will be bound to that application? If so, the token is useless to my own application unless i can get a new token for it. Am i wrong here?

Yeah, the Mashup portal is the application number 17 in the Account portal and the OAuth2 token obtained by WireCloud is bound to that application. I cannot foresee if that token is useful for your application or not. This token can be used for authenticating users, but the IdM limits the returned information (e.g. roles) depending on the application bounded to the token. So, evidently, this integration is not perfect, but we are missing some integration features from the IdM to make it more useful.