Last modified by messines on 2022/05/25 10:11
From version 1.1
edited by villemai
on 2020/05/04 16:15
Change comment: There is no comment for this version
To version 8.1
edited by messines
on 2021/11/15 14:33
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -Registering an OIDC client
1 +1. Registering an OIDC client
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.villemai
1 +XWiki.messines
Content
... ... @@ -1,13 +1,38 @@
1 +== Must read before starting ==
2 +
3 +It's very important to choose the right type of clients and to understand the various OAuth flows.
4 +
5 +A very good documentation is this one :
6 +
7 +[[https:~~/~~/auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use>>url:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use]]
8 +
9 +and another one
10 +
11 +[[https:~~/~~/dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho>>url:https://dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho]]
12 +
13 +Also a live exemple of client ID creation is available here on our lab, you can perfectly use this notebook to create your client, the next steps in this documentation reproduce the content of the notebook.
14 +
15 +[[https:~~/~~/lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb>>https://lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]]
16 +
1 1  == Creating your OpenID Connect client ==
2 2  
3 -The steps to create an OpenID Connect client are the following:
19 +The steps to create an OpenID Connect (OIDC) client are the following:
4 4  
21 +1. Ask the developer accreditation to be authorize to create client
5 5  1. get an access token from the `developer` client
6 -1. use the token to call the create endpoint
7 7  1. save your registration access token for further modifications of your client
24 +1. use the token to call the create endpoint
8 8  
9 -Note that a [[notebook>>url:https://lab.ebrains.eu/user-redirect/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]] is available to help you create and modify your OIDC client.
26 +Note that a Jupyter Notebook notebook is available in the Drive of this collab to help you create and modify your OIDC client. Its name is: **//Managing an OpenID Connect client.ipynb//** [add link]
10 10  
28 +=== Ask for developer accreditation ===
29 +
30 +To be authorize to create an OIDC client you have to be accredited as developer.
31 +
32 +Please go on this page and "Request to join" the group [[https:~~/~~/wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam~~-~~-service-providers>>https://wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam--service-providers]]
33 +
34 +We will quickly process your request and you will be able to create an OIDC client
35 +
11 11  === Fetching your developer access token ===
12 12  
13 13  Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
... ... @@ -16,8 +16,8 @@
16 16  
17 17  {{code language="bash"}}
18 18  # Gather username and password from user
19 -echo '\nEnter your username' && read clb_dev_username &&
20 -echo '\nEnter your password' && read -s clb_dev_pwd &&
44 +read -p 'Enter your username: ' clb_dev_username
45 +read -s -p 'Enter your password: ' clb_dev_pwd
21 21  
22 22  # Fetch the token
23 23  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \
... ... @@ -25,12 +25,12 @@
25 25   -d 'grant_type=password' \
26 26   --data-urlencode "username=${clb_dev_username}" \
27 27   --data-urlencode "password=${clb_dev_pwd}" |
28 -
29 -# Prettify the JSON response
30 -json_pp;
31 31  
54 +# and pretty-print the JSON response
55 +json_pp
56 +
32 32  # Erase the credentials from local variables
33 -clb_dev_pwd='';clb_dev_username=''
58 +clb_dev_pwd=''; clb_dev_username=''
34 34  {{/code}}
35 35  
36 36  The response will be similar to:
... ... @@ -48,7 +48,7 @@
48 48  }
49 49  {{/code}}
50 50  
51 -Copy the "access_token" value, you will need if for the next step.
76 +Store a copy of the "access_token" value. You will need if for the next step.
52 52  
53 53  === Creating the client ===
54 54  
... ... @@ -56,34 +56,35 @@
56 56  
57 57  {{code language="bash"}}
58 58  # Set your developer token
59 -clb_dev_token=...
84 +clb_dev_token="eyJhbGci..."
60 60  
61 61  # Send the creation request
62 62  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \
63 63   -H "Authorization: Bearer ${clb_dev_token}" \
64 64   -H 'Content-Type: application/json' \
65 - -d '{
66 - "clientId": "my-awesome-client",
67 - "name": "My Awesome App",
90 + -d '{ "clientId": "your_client_id",
91 + "name": "Collaboratory workshop demo client edited",
68 68   "description": "This describes what my app is for end users",
69 - "rootUrl": "https://root.url.of.my.app",
70 - "baseUrl": "/relative/path/to/its/frontpage.html",
93 + "rootUrl": "https://example.org",
94 + "baseUrl": "https://example.org",
71 71   "redirectUris": [
72 - "/relative/redirect/path",
73 - "/these/can/use/wildcards/*"
96 + "/login/*",
97 + "https://example.org/login/*"
74 74   ],
75 - "webOrigins": ["+"],
76 - "bearerOnly": false,
77 - "consentRequired": true,
78 - "standardFlowEnabled": true,
79 - "implicitFlowEnabled": true,
80 - "directAccessGrantsEnabled": false,
99 + "webOrigins":["http://localhost:8080","https://example.org","+"],
100 + "bearerOnly": False,
101 + "consentRequired": True,
102 + "standardFlowEnabled": True,
103 + "implicitFlowEnabled": False,
104 + "directAccessGrantsEnabled": False,
81 81   "attributes": {
82 82   "contacts": "first.contact@example.com; second.contact@example.com"
83 - }
107 + },
108 + "defaultClientScopes": ["openid","profile","email","roles"],
109 + "optionalClientScopes": ["team","group"]
84 84   }' |
85 85  
86 -# Prettify the JSON response
112 +# Pretty print the JSON response
87 87  json_pp;
88 88  {{/code}}
89 89  
... ... @@ -135,7 +135,7 @@
135 135  
136 136  Among all the attributes, you should securely save:
137 137  
138 -* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
164 +* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making back-end calls
139 139  * your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
140 140  
141 141  === Modifying your client ===
... ... @@ -144,14 +144,15 @@
144 144  
145 145  {{code language="bash"}}
146 146  # Set your registration token and client id
147 -clb_reg_token=...
173 +clb_reg_token="eyJhbGciOi..."
174 +clb_client_id="my-awesome-client"
148 148  
149 -# Update the client
150 -curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
176 +# Update the client. Note that the client ID appears both in the endpoint URL and in the body of the request.
177 +curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/${clb_client_id} \
151 151   -H "Authorization: Bearer ${clb_reg_token}" \
152 152   -H 'Content-Type: application/json' \
153 153   -d '{
154 - "clientId": "my-awesome-client",
181 + "clientId": "'${clb_client_id}'",
155 155   "redirectUris": [
156 156   "/relative/redirect/path",
157 157   "/these/can/use/wildcards/*",
... ... @@ -159,15 +159,13 @@
159 159   ]
160 160   }' |
161 161  
162 -# Prettify the JSON response
163 -json_pp;
189 +# Pretty print the JSON response
190 +json_pp
191 +
164 164  {{/code}}
165 165  
166 166   Note that your need to provide your client id both in the endpoint URL and within the body of the request.
167 167  
168 168  {{warning}}
169 -/!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
197 +**⚠  Each time you modify your client, a new registration access token is generated. You need to keep track of your latest token to keep access to your client.  **
170 170  {{/warning}}
171 -
172 -(% class="wikigeneratedid" id="HH4Won27tAppearinToC" %)
173 -
Table of content