Last modified by messines on 2022/05/25 10:11
From version 1.1
edited by villemai
on 2020/05/04 16:15
Change comment: There is no comment for this version
To version 10.1
edited by messines
on 2021/11/15 14:39
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -Registering an OIDC client
1 +1. Registering an OIDC client
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.villemai
1 +XWiki.messines
Content
... ... @@ -1,13 +1,38 @@
1 +== Must read before starting ==
2 +
3 +It's very important to choose the right type of clients and to understand the various OAuth flows.
4 +
5 +A very good documentation is this one :
6 +
7 +[[https:~~/~~/auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use>>url:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use]]
8 +
9 +and another one
10 +
11 +[[https:~~/~~/dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho>>url:https://dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho]]
12 +
1 1  == Creating your OpenID Connect client ==
2 2  
3 -The steps to create an OpenID Connect client are the following:
15 +The steps to create an OpenID Connect (OIDC) client are the following:
4 4  
17 +1. Ask the developer accreditation to be authorize to create client
5 5  1. get an access token from the `developer` client
6 -1. use the token to call the create endpoint
7 7  1. save your registration access token for further modifications of your client
20 +1. use the token to call the create endpoint
8 8  
9 -Note that a [[notebook>>url:https://lab.ebrains.eu/user-redirect/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]] is available to help you create and modify your OIDC client.
22 +==== Easiest way to create a client ====
10 10  
24 +**A live exemple of client ID creation is available here on our lab**, you can perfectly use this notebook to create your client, the next steps in this documentation reproduce the content of the notebook. **The easiest solution as a user is to use this notebook to create a client** and avoid human error while executing curl request manually.
25 +
26 +[[https:~~/~~/lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb>>https://lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]]
27 +
28 +=== Ask for developer accreditation ===
29 +
30 +To be authorize to create an OIDC client you have to be accredited as developer.
31 +
32 +Please go on this page and "Request to join" the group [[https:~~/~~/wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam~~-~~-service-providers>>https://wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam--service-providers]]
33 +
34 +We will quickly process your request and you will be able to create an OIDC client
35 +
11 11  === Fetching your developer access token ===
12 12  
13 13  Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
... ... @@ -16,8 +16,8 @@
16 16  
17 17  {{code language="bash"}}
18 18  # Gather username and password from user
19 -echo '\nEnter your username' && read clb_dev_username &&
20 -echo '\nEnter your password' && read -s clb_dev_pwd &&
44 +read -p 'Enter your username: ' clb_dev_username
45 +read -s -p 'Enter your password: ' clb_dev_pwd
21 21  
22 22  # Fetch the token
23 23  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \
... ... @@ -25,12 +25,12 @@
25 25   -d 'grant_type=password' \
26 26   --data-urlencode "username=${clb_dev_username}" \
27 27   --data-urlencode "password=${clb_dev_pwd}" |
28 -
29 -# Prettify the JSON response
30 -json_pp;
31 31  
54 +# and pretty-print the JSON response
55 +json_pp
56 +
32 32  # Erase the credentials from local variables
33 -clb_dev_pwd='';clb_dev_username=''
58 +clb_dev_pwd=''; clb_dev_username=''
34 34  {{/code}}
35 35  
36 36  The response will be similar to:
... ... @@ -48,7 +48,7 @@
48 48  }
49 49  {{/code}}
50 50  
51 -Copy the "access_token" value, you will need if for the next step.
76 +Store a copy of the "access_token" value. You will need if for the next step.
52 52  
53 53  === Creating the client ===
54 54  
... ... @@ -56,34 +56,35 @@
56 56  
57 57  {{code language="bash"}}
58 58  # Set your developer token
59 -clb_dev_token=...
84 +clb_dev_token="eyJhbGci..."
60 60  
61 61  # Send the creation request
62 62  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \
63 63   -H "Authorization: Bearer ${clb_dev_token}" \
64 64   -H 'Content-Type: application/json' \
65 - -d '{
66 - "clientId": "my-awesome-client",
67 - "name": "My Awesome App",
90 + -d '{ "clientId": "your_client_id",
91 + "name": "Collaboratory workshop demo client edited",
68 68   "description": "This describes what my app is for end users",
69 - "rootUrl": "https://root.url.of.my.app",
70 - "baseUrl": "/relative/path/to/its/frontpage.html",
93 + "rootUrl": "https://example.org",
94 + "baseUrl": "https://example.org",
71 71   "redirectUris": [
72 - "/relative/redirect/path",
73 - "/these/can/use/wildcards/*"
96 + "/login/*",
97 + "https://example.org/login/*"
74 74   ],
75 - "webOrigins": ["+"],
76 - "bearerOnly": false,
77 - "consentRequired": true,
78 - "standardFlowEnabled": true,
79 - "implicitFlowEnabled": true,
80 - "directAccessGrantsEnabled": false,
99 + "webOrigins":["http://localhost:8080","https://example.org","+"],
100 + "bearerOnly": False,
101 + "consentRequired": True,
102 + "standardFlowEnabled": True,
103 + "implicitFlowEnabled": False,
104 + "directAccessGrantsEnabled": False,
81 81   "attributes": {
82 82   "contacts": "first.contact@example.com; second.contact@example.com"
83 - }
107 + },
108 + "defaultClientScopes": ["openid","profile","email","roles"],
109 + "optionalClientScopes": ["team","group"]
84 84   }' |
85 85  
86 -# Prettify the JSON response
112 +# Pretty print the JSON response
87 87  json_pp;
88 88  {{/code}}
89 89  
... ... @@ -135,7 +135,7 @@
135 135  
136 136  Among all the attributes, you should securely save:
137 137  
138 -* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
164 +* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making back-end calls
139 139  * your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
140 140  
141 141  === Modifying your client ===
... ... @@ -144,14 +144,15 @@
144 144  
145 145  {{code language="bash"}}
146 146  # Set your registration token and client id
147 -clb_reg_token=...
173 +clb_reg_token="eyJhbGciOi..."
174 +clb_client_id="my-awesome-client"
148 148  
149 -# Update the client
150 -curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
176 +# Update the client. Note that the client ID appears both in the endpoint URL and in the body of the request.
177 +curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/${clb_client_id} \
151 151   -H "Authorization: Bearer ${clb_reg_token}" \
152 152   -H 'Content-Type: application/json' \
153 153   -d '{
154 - "clientId": "my-awesome-client",
181 + "clientId": "'${clb_client_id}'",
155 155   "redirectUris": [
156 156   "/relative/redirect/path",
157 157   "/these/can/use/wildcards/*",
... ... @@ -159,15 +159,13 @@
159 159   ]
160 160   }' |
161 161  
162 -# Prettify the JSON response
163 -json_pp;
189 +# Pretty print the JSON response
190 +json_pp
191 +
164 164  {{/code}}
165 165  
166 166   Note that your need to provide your client id both in the endpoint URL and within the body of the request.
167 167  
168 168  {{warning}}
169 -/!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
197 +**⚠  Each time you modify your client, a new registration access token is generated. You need to keep track of your latest token to keep access to your client.  **
170 170  {{/warning}}
171 -
172 -(% class="wikigeneratedid" id="HH4Won27tAppearinToC" %)
173 -
Table of content