PEP Proxy - Wilma GE

What it is

You get the reference implementation of PEP Proxy Generic Enabler. Thanks to this component and together with Identity Management and Authorization PDP GEs, you will add authentication and authorization security to your backend applications. Thus, only FIWARE users will be able to access your GEs or REST services. But you will be able also to manage specific permissions and policies to your resources allowing different access levels to your users.

Why get it

Wilma is the reference implementation of this Generic Enabler because it is completely integrated with the FIWARE ecosystem and specifically with FIWARE account. It is thought to work with OAuth2 and XACML protocols, the standards for authentication and authorization chosen in FIWARE. Furthermore, this is the component that every GEis are including on top of their REST APIs so it is tested and used in many different scenarios.

Security Levels


The PEP Proxy is a compact NodeJS service. It intercepts incoming HTTP/HTTPS calls, checking the validity of the included OAuth2 token and verifies whether the associated principal can perform the action (HTTP method) to the resource (HTTP URL) specified in the call. In short, it operates as an identity service for OAuth2 bearer-only endpoints and adds HTTP-based authorization verification.

The PEP Proxy makes certain assumptions regarding its deployment environment:

  • The availability of the FIWARE Keyrock IDM and an existing service account bound to the PEP Proxy.
  • In case the PEP Proxy performs authorization checks on the incoming calls, an instance of the AuthZForce service is used for storing and verifying access policies.

There exist 2 distinct interaction scenarios in which the proxy is involved:

  • The PEP proxy authenticates itself to the IDM using its service credentials (attributes config.username & config.password found in config.js). The proxy username & password must be registered with the IDM. In addition an application corresponding to the proxy must be created in the IDM.
  • The PEP proxy intercepts the incoming service call. This involves 2 steps:
    • The OAuth2 token in the incoming call is verified with the IDM.
    • The user’s roles, the action, the resource and the application ID are forwarded to the Authorization PDP server that compares the request with the set of access policies stored in the server.

FIWARE Webpage

PEP Proxy - Wilma


PEP Proxy - Wilma Documentation


PEP Proxy - Wilma Download

Fiware Academy

PEP Proxy - Wilma Courses


Click on the images to enlarge them.