I would like to adopt FIWARE as part of our IoT platform. In addition to Orion Context Broker, I would like to use keyrock / wilma / AuthzForce for authentication and authorization.
I understood by reading "step-by-step" and other documents that there are multiple users on the IoT platform and it is possible to control access to resources individually.
I would like to display a list of all resources (It's equal to the sensors) that the user can access after logging in our IoT application. However, I referred to the keyrock and AuthzForce APIs, but I don't think there is such an API. Isn't there an API in FIWARE that gets a list of user-resource (sensor) relationships?
FIWARE is not tightly bound to a single security stack. The "step-by-step" tutorials are using Keyrock and Wilma as an illustrative example, but you could just as easily use alternative Identity Managers such as Keycloak or Keystone - it is the role of the IDM which is important.
Given that every component in the FIWARE Catalogue is a microservice they are designed to do one job well rather than mixing concerns, so you would need the following set up - keep the roles and permissions in the IDM, add static data to your entities to describe what the entities are and who "owns" them.
Basic Authentication
For basic authentication where every logged in user is able to view your sensors this is easy:
sensor
to allow for easy of querying (the Device Model suggests category:This will enable clients to make queries on
/entities?q=category=="sensor"&type=Device
to get all Device in the sensor category.if all logged-in users can access all sensors you can just place a PEP proxy in front of the context broker which denies all unauthenticated requests (i.e. those without a bearer token) and passes through those that are logged in.
Basic Authorization
For basic authorization where logged in user is able to view the sensors they own it's a bit more complex, you'll need to set up permissions to allow a role to access:
/entities?q=category=="sensor"&type=Device&owner==XXX
whilst denying broader queries like/entities?type=device
- you can then add additional static data to the devices when provisioning:Advanced Authorization
For advanced authorization it would be even more complex, your Authzforce PDP would need to hold rules like:
Where users of the role
security-role-0000-0000-000000000000
are allowed to make the GET request to devices as described above.With XACML it would be possible to extend the rules using functions like
urn:oasis:names:tc:xacml:1.0:function:string-regexp-match
orurn:oasis:names:tc:xacml:1.0:function:string-regexp-match
, but you should look at finding an XACML GUI editor, the XACML 3.0 spec is easier for machines than humans. By default the Wilma PEP proxy passes over sufficient information for Authzforce to answer the rule defined above, if you want add more clauses to the matching rule, you will need to customize the PEP-PDP comms within your PEP Proxy to ensure additional information is sent to Authzforce to allow it to adjudicate the request.