如何通过Keyrock设置Docker化的安全IoT代理?

时间:2019-12-06 14:51:53

标签: iot fiware fiware-keyrock

我无法在现有的documentation(永久性令牌或非永久性令牌)中找到此信息。

使用Keyrock 7.8,Ultralight 1.11.0(尽管任何当前代理都可以使用)

设置了以下Docker参数:

      - IOTA_AUTH_ENABLED=true
      - IOTA_AUTH_TYPE=oauth2
      - IOTA_AUTH_HEADER=Authorization
      - IOTA_AUTH_HOST=keyrock
      - IOTA_AUTH_PORT=3000
      - IOTA_AUTH_URL=http://keyrock:3000
      - IOTA_AUTH_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp
   #  - IOTA_AUTH_PERMANENT_TOKEN=true

镜像中使用了默认的Docker配置,因此没有创建配置组类型。

我能够按如下所示设置受信任的组:

curl -X POST \
  http://iot-agent:4041/iot/services \
  -H 'fiware-service: openiot' \
  -H 'fiware-servicepath: /' \
  -d '{
 "services": [
   {
     "apikey":      "4jggokgpepnvsb2uv4s40d59ov",
     "cbroker":     "http://orion:1026",
     "entity_type": "Motion",
     "resource":    "/iot/d",
     "trust": "<motn-auth-token>"
   }
 ]
}'

问题1 -如何在Keyrock中生成信任令牌。

我配置设备时

curl -X POST \
  http://iot-agent:4041/iot/devices \
  -H 'Content-Type: application/json' \
  -H 'fiware-service: openiot' \
  -H 'fiware-servicepath: /' \
  -d '{
 "devices": [
   {
     "device_id":   "motion001",
     "entity_name": "urn:ngsi-ld:Motion:001",
     "entity_type": "Motion",
     "timezone":    "Europe/Berlin",
     "attributes": [
       { "object_id": "c", "name":"count", "type":"Integer"}
      ],
      "static_attributes": [
         {"name":"refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"}
      ]
   }
 ]
}
'

我在IoT代理中收到以下错误:

{
    "name": "SECURITY_INFORMATION_MISSING",
    "message": "Some security information was missing for device type:Motion"
}

以及Keyrock日志中的以下内容:

Fri, 06 Dec 2019 14:13:52 GMT idm:oauth2-model_oauth_server -------getClient-------
Executing (default): SELECT `id`, `redirect_uri`, `token_types`, `jwt_secret`, `scope`, `grant_type` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = 'tutorial-dckr-site-0000-xpresswebapp' AND `OauthClient`.`secret` = 'tutorial-lcal-host-0000-clientsecret';
Fri, 06 Dec 2019 14:13:52 GMT idm:oauth_controller Error  { invalid_client: Invalid client: client is invalid

问题2:还需要提供哪些其他信息?

1 个答案:

答案 0 :(得分:1)

如何在Keyrock中生成信任令牌。

信任令牌在Keyrock文档中被描述为访问令牌,首先将客户端应用程序设置为生成永久令牌:

enter image description here

这也可以通过使用/v1/applications端点以编程方式完成。

请求 

curl -iX POST \
  'http://keyrock:3005/v1/applications' \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-token: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' \
  -d '{
  "application": {
    "name": "Tutorial Application",
    "description": "FIWARE Application protected by OAuth2 and Keyrock",
    "redirect_uri": "http://tutorial/login",
    "url": "http://tutorial",
    "grant_type": [
      "authorization_code",
      "implicit",
      "password"
    ],
    "token_types": ["permanent"]
  }
}'

要生成永久信任令牌,请确保Keyrock应用程序已配置为提供永久令牌,并使用标准Authorization: Basic标头(包含客户端ID和密码的base 64串联)作为授权用户登录。参数 添加scope=permanent来检索永久令牌(如果可用)。响应中包含一个access_token(又称“信任令牌”) 可以用于设备配置。

请求 

curl -X POST \
  http://keyrock:3005/oauth2/token \
  -H 'Accept: application/json' \
  -H 'Authorization: Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==' \
  -d 'username=alice-the-admin@test.com&password=test&grant_type=password&scope=permanent'

回复 

{
    "access_token": "e37aeef5d48c9c1a3d4adf72626a8745918d4355",
    "token_type": "Bearer",
    "scope": ["permanent"]
}

设置IoT代理以使用Keyrock和PEP代理

以下其他 Docker参数是必需的

      - IOTA_CB_HOST=orion-proxy
      - IOTA_CB_PORT=${ORION_PROXY_PORT}

      - IOTA_AUTH_ENABLED=true
      - IOTA_AUTH_TYPE=oauth2
      - IOTA_AUTH_HEADER=Authorization
      - IOTA_AUTH_HOST=keyrock
      - IOTA_AUTH_PORT=${KEYROCK_PORT}
      - IOTA_AUTH_URL=http://keyrock:${KEYROCK_PORT}
      - IOTA_AUTH_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp
      - IOTA_AUTH_CLIENT_SECRET=tutorial-dckr-host-0000-clientsecret
      - IOTA_AUTH_PERMANENT_TOKEN=true
      - IOTA_AUTH_TOKEN_PATH=/oauth2/token

IoT代理-设置受信任的服务组

必须将访问令牌(也称为信任令牌)添加到服务组。 它保存在trust属性中,并重复上述步骤中检索到的令牌

请求 

curl -iX POST \
  'http://iot-agent:4041/iot/services' \
  -H 'Content-Type: application/json' \
  -H 'fiware-service: openiot' \
  -H 'fiware-servicepath: /' \
  -d '{
 "services": [
   {
     "apikey":      "4jggokgpepnvsb2uv4s40d59ov",
     "cbroker":     "http://orion:1026",
     "entity_type": "Motion",
     "resource":    "/iot/d",
     "trust": "e37aeef5d48c9c1a3d4adf72626a8745918d4355"
   }
 ]
}'

一旦创建了受信任的服务组,就可以按常规方式配置设备

请求 

curl -iX POST \
  'http://iot-agent:4041/iot/devices' \
  -H 'Content-Type: application/json' \
  -H 'fiware-service: openiot' \
  -H 'fiware-servicepath: /' \
  -d '{
 "devices": [
   {
     "device_id":   "motion001",
     "entity_name": "urn:ngsi-ld:Motion:001",
     "entity_type": "Motion",
     "timezone":    "Europe/Berlin",
   }
 ]
}
'
相关问题
最新问题