Which is the best way to implement OAuth2 authorization in an operator? We have secured our backend API with PEP proxy and we need a valid token. Does wirecloud provide any mean to access it once the user is logged in. Something like:
MashupPlatform.context.getOAuthToken()
We try to avoid hardcoding user credentials in the logic of the operator.
Yeah,
Although, you cannot read the OAuth2 token from widgets/operators, you can use the WireCloud's proxy and configure it to inject the OAuth2 token for you into your requests. To do so, you have to provide the following headers when making the request:
X-FI-WARE-OAuth-Token
the value should be true
X-FI-WARE-OAuth-Header-Name
is the name of the header that is going to be added by to the requests with the OAuth2 token, in your case: X-Auth-Token
as you are using the PEP proxy (Although the correct header for OAuth2 is Authorization
).
Take into account that anonymous users doesn't have a valid OAuth2 token. Also, if you are running a custom instance of WireCloud it can be configured to support several auth backends. In that case, some user won't be associated with an IdM account. You can check if the currently logged user has an associated IdM token by running the following code: MashupPlatform.context.get('fiware_token_available');
There is also experimental support for using the OAuth2 token of the owner of the dashboard instead of using the OAuth2 token of the current logged user. To do so, add the X-FI-WARE-OAuth-Source
header using the workspaceowner
value.
Example:
MashupPlatform.http.makeRequest(url, {
requestHeaders: {
"X-FI-WARE-OAuth-Token": "true",
"X-FI-WARE-OAuth-Header-Name": "X-Auth-Token",
"X-FI-WARE-OAuth-Source": "workspaceowner"
},
...
});
Future considerations:
In a production environment, services using the OAuth2 authentication should be served using https for security reasons. So we are considering adding checks into the WireCloud proxy for only injecting OAuth2 tokens if the final URL uses the https schema. The only exception for this could be services available in the same intranet that WireCloud.