Hey there, let's break down why you might be failing to get the x-subject-token with PEP Wilma 6.2 when protecting Orion. Based on the code snippets you shared and common pitfalls with this setup, here are the most likely causes:

1. Incomplete or Incorrect IDM Configuration #

PEP Wilma relies on valid IDM (like Keyrock) credentials and endpoint details to fetch the token. Double-check these in your config:

• Ensure config.idm includes all required fields: host, port, username, password, and domain (for Keystone v3 endpoints). Missing any of these will cause the authentication request to fail silently or return an error.
• If your IDM uses HTTPS, make sure the options object in lib/idm.js includes protocol: 'https:'—without this, the request will try to use HTTP and fail to connect.

2. Invalid Authentication Request Format #

Your code targets the Keystone v3 endpoint /v3/auth/tokens, which expects a specific JSON payload. If Wilma isn't sending the correct request body, the IDM won't return a token. The required payload should look like this:

{
  "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "your-pep-username",
          "domain": {"name": "Default"},
          "password": "your-pep-password"
        }
      }
    }
  }
}

Verify that your Wilma setup is generating this payload correctly—missing fields like domain are a common culprit.

3. Network/Firewall Blocking the Request #

If Wilma can't reach your IDM server at all, it can't fetch the token. Test connectivity manually from the Wilma server using curl:

curl -X POST http://<your-idm-host>:<your-idm-port>/v3/auth/tokens \
-H "Content-Type: application/json" \
-d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"your-user","domain":{"name":"Default"},"password":"your-pass"}}}}}'

If this command returns an error (like connection refused) or no x-subject-token in the response headers, the issue is network-related—not a Wilma configuration problem.

4. Lack of Detailed Error Logging #

Your current error callback only logs status and e, which might not give enough context. Modify the error handler in lib/idm.js to include the full response body:

function (status, e, responseBody) {
  log.error('PEP authentication failed. Status:', status, 'Error:', e, 'IDM Response:', responseBody);
}

This will show you exactly what the IDM is returning (e.g., invalid credentials, missing permissions) and help you fix the root cause faster.

5. Version Compatibility Issues #

Ensure PEP Wilma 6.2 is compatible with your IDM version. For example, newer Keyrock versions might have changes to the Keystone v3 endpoint that Wilma 6.2 doesn't handle. Check the official Wilma documentation to confirm supported IDM versions.

Start by testing the curl command and adding detailed error logging—these steps will quickly narrow down whether the issue is with configuration, network, or request formatting.

内容的提问来源于stack exchange，提问作者fisuda