Hi,
I’ve been trying to understand how the UI and the Backend communicate with each other, specially when it comes to authentication.
After looking at these diagrams and the code itself, it seems like it’s currently not possible to authenticate in the UI using an username and a password (unless it’s connecting directly to an Edge). Is this correct? If it is, what would be the best way of implementing something like this? I’m thinking of two options here:
- Authenticate from the UI itself using an external authentication service (like Firebase or something similar), and pass the returned session id to OpenEMS Backend.
- Pass the username and password directly to the Backend through the UI websocket, so it can be processed by Metadata.authenticate(username, password), although I’m quite concerned about the security implications of doing that.
My confusion gets worse when I take the Backend Metadata service into account. I understand that it’s supposed to regulate which users can access which devices, but how does this integrate with external authentication services? I’ve looked at the Odoo implementation but it seems to be very targeted to the FEMS infrastructure.
Any tips on how to proceed or any information at all about UI/Backend is more than appreciated.
Thanks.
Hi,
Thanks for getting in touch. OpenEMS Backend is clearly not yet as popular and widely used as OpenEMS Edge.
The authentication to Backend is a long-open feature request. As you saw correctly, creation of a session token is handled outside of OpenEMS Backend and is only forwarded. This is really because of the requirements we had for the FEMS infrastructure. I know that there are other implementations of the Metadata-Service (e.g. with Wordpress as backend), but none of them are open sourced yet unfortunately.
The solution I had in mind was simlar to what you suggest in your second option. I do not see any security implications, because at the point when we would send username and password, we already use a TLS encrypted websocket connection. We also have UI mockup ready for this already: https://github.com/OpenEMS/openems/pull/1013
In principle the Metadata.Odoo implementation is using Odoo mainly just like a simple Postgres database (with a nice frontend). The database needs to hold information about which user has access to which Edges with which Role. For example there can be users that have ‘guest’ access on all Edges, but also ‘owner’ access on one specific Edge.
Would such a generic Postgres implementation suit your needs?
Can you shed more light on your exact requirement? Are you planning to integrate OpenEMS Backend with an existing (single-sign-on-) solution?
Regards,
Stefan
Hi Stefan, thanks for your reply,
We also have UI mockup ready for this already: [WIP] Backend Login via UI by fabianfnc · Pull Request #1013 · OpenEMS/openems · GitHub
I didn’t know about that, thanks, will have a look.
In principle the Metadata.Odoo implementation is using Odoo mainly just like a simple Postgres database (with a nice frontend).
That’s interesting, I thought the Odoo implementation was much fancier (i.e. part of a bigger infrastructure as Odoo itself is a CRM). I’ll be looking into using it now.
Are you planning to integrate OpenEMS Backend with an existing (single-sign-on-) solution?
That was my initial plan, but I guess it’s not needed anymore due to the above. I’m not planning to implement this on a very large scale, so a simple authentication service is more than enough.
Hello together,
as Stefan mentioned, we (Kaco new energy GmbH) have implemented a Metadata.Wordpress Component that uses wordpress as an authentication service and a little customized MySQL Database inside wordpress for managing Edge Devices.
Unfortunately our implementation is yet written very specifically for our purpose but I will soon write a generalized version that can be pulled into the OpenEMS repo.
I will create a new proposal thread and pull request as soon as I got the generalized version of our code.
Greetings
Andy
Sounds great, I’ll be trying it out as soon as it’s available. Thank you!
Returning to the topic of Odoo: I’ve managed to deploy an Odoo instance together with OpenEMS, and so far it does look like they are communicating with each other. However, OpenEMS Backend complains about a PostgreSQL table named “edge_device” not existing. I’ve thought of using psql to add it manually, but is there some other way I’m missing to register new Edge devices/users directly in Odoo?
Thanks.