Summary

• Page properties (3 modified, 0 added, 0 removed)

Details

Page properties

Title

...	...	@@ -1,1 +1,1 @@
1		-1. Registering an OIDC client
	1	+Registering an OIDC client

Author

...	...	@@ -1,1 +1,1 @@
1		-XWiki.messines
	1	+XWiki.villemai

Content

...	...	@@ -1,38 +13,13 @@
1		-== Must read before starting ==
2		-
3		-It's very important to choose the right type of clients and to understand the various OAuth flows.
4		-
5		-A very good documentation is this one :
6		-
7		-[[https:~~/~~/auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use>>url:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use]]
8		-
9		-and another one
10		-
11		-[[https:~~/~~/dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho>>url:https://dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho]]
12		-
13	13	== Creating your OpenID Connect client ==
14	14
15		-The steps to create an OpenID Connect (OIDC) client are the following:
	3	+The steps to create an OpenID Connect client are the following:
16	16
17		-1. Ask the developer accreditation to be authorize to create client
18	18	1. get an access token from the `developer` client
19		-1. save your registration access token for further modifications of your client
20	20	1. use the token to call the create endpoint
	7	+1. save your registration access token for further modifications of your client
21	21
22		-==== Easiest way to create a client ====
	9	+Note that a [[notebook>>url:https://lab.ebrains.eu/user-redirect/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]] is available to help you create and modify your OIDC client.
23	23
24		-**A live exemple of client ID creation is available here on our lab**, you can perfectly use this notebook to create your client, the next steps in this documentation reproduce the content of the notebook. **The easiest solution as a user is to use this notebook to create a client** and avoid human error while executing curl request manually.
25		-
26		-[[https:~~/~~/lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb>>https://lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]]
27		-
28		-=== Ask for developer accreditation ===
29		-
30		-To be authorize to create an OIDC client you have to be accredited as developer.
31		-
32		-Please go on this page and "Request to join" the group [[https:~~/~~/wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam~~-~~-service-providers>>https://wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam--service-providers]]
33		-
34		-We will quickly process your request and you will be able to create an OIDC client
35		-
36	36	=== Fetching your developer access token ===
37	37
38	38	Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
...	...	@@ -41,8 +41,8 @@
41	41
42	42	{{code language="bash"}}
43	43	# Gather username and password from user
44		-read -p 'Enter your username: ' clb_dev_username
45		-read -s -p 'Enter your password: ' clb_dev_pwd
	19	+echo '\nEnter your username' && read clb_dev_username &&
	20	+echo '\nEnter your password' && read -s clb_dev_pwd &&
46	46
47	47	# Fetch the token
48	48	curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \
...	...	@@ -50,12 +50,12 @@
50	50	-d 'grant_type=password' \
51	51	--data-urlencode "username=${clb_dev_username}" \
52	52	--data-urlencode "password=${clb_dev_pwd}" |
	28	+
	29	+# Prettify the JSON response
	30	+json_pp;
53	53
54		-# and pretty-print the JSON response
55		-json_pp
56		-
57	57	# Erase the credentials from local variables
58		-clb_dev_pwd=''; clb_dev_username=''
	33	+clb_dev_pwd='';clb_dev_username=''
59	59	{{/code}}
60	60
61	61	The response will be similar to:
...	...	@@ -73,7 +73,7 @@
73	73	}
74	74	{{/code}}
75	75
76		-Store a copy of the "access_token" value. You will need if for the next step.
	51	+Copy the "access_token" value, you will need if for the next step.
77	77
78	78	=== Creating the client ===
79	79
...	...	@@ -81,35 +81,34 @@
81	81
82	82	{{code language="bash"}}
83	83	# Set your developer token
84		-clb_dev_token="eyJhbGci..."
	59	+clb_dev_token=...
85	85
86	86	# Send the creation request
87	87	curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \
88	88	-H "Authorization: Bearer ${clb_dev_token}" \
89	89	-H 'Content-Type: application/json' \
90		- -d '{ "clientId": "your_client_id",
91		- "name": "Collaboratory workshop demo client edited",
	65	+ -d '{
	66	+ "clientId": "my-awesome-client",
	67	+ "name": "My Awesome App",
92	92	"description": "This describes what my app is for end users",
93		- "rootUrl": "https://example.org",
94		- "baseUrl": "https://example.org",
	69	+ "rootUrl": "https://root.url.of.my.app",
	70	+ "baseUrl": "/relative/path/to/its/frontpage.html",
95	95	"redirectUris": [
96		- "/login/*",
97		- "https://example.org/login/*"
	72	+ "/relative/redirect/path",
	73	+ "/these/can/use/wildcards/*"
98	98	],
99		- "webOrigins":["http://localhost:8080","https://example.org","+"],
100		- "bearerOnly": False,
101		- "consentRequired": True,
102		- "standardFlowEnabled": True,
103		- "implicitFlowEnabled": False,
104		- "directAccessGrantsEnabled": False,
	75	+ "webOrigins": ["+"],
	76	+ "bearerOnly": false,
	77	+ "consentRequired": true,
	78	+ "standardFlowEnabled": true,
	79	+ "implicitFlowEnabled": true,
	80	+ "directAccessGrantsEnabled": false,
105	105	"attributes": {
106	106	"contacts": "first.contact@example.com; second.contact@example.com"
107		- },
108		- "defaultClientScopes": ["openid","profile","email","roles"],
109		- "optionalClientScopes": ["team","group"]
	83	+ }
110	110	}' |
111	111
112		-# Pretty print the JSON response
	86	+# Prettify the JSON response
113	113	json_pp;
114	114	{{/code}}
115	115
...	...	@@ -161,7 +161,7 @@
161	161
162	162	Among all the attributes, you should securely save:
163	163
164		-* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making back-end calls
	138	+* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
165	165	* your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
166	166
167	167	=== Modifying your client ===
...	...	@@ -170,15 +170,14 @@
170	170
171	171	{{code language="bash"}}
172	172	# Set your registration token and client id
173		-clb_reg_token="eyJhbGciOi..."
174		-clb_client_id="my-awesome-client"
	147	+clb_reg_token=...
175	175
176		-# Update the client. Note that the client ID appears both in the endpoint URL and in the body of the request.
177		-curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/${clb_client_id} \
	149	+# Update the client
	150	+curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
178	178	-H "Authorization: Bearer ${clb_reg_token}" \
179	179	-H 'Content-Type: application/json' \
180	180	-d '{
181		- "clientId": "'${clb_client_id}'",
	154	+ "clientId": "my-awesome-client",
182	182	"redirectUris": [
183	183	"/relative/redirect/path",
184	184	"/these/can/use/wildcards/*",
...	...	@@ -186,13 +186,15 @@
186	186	]
187	187	}' |
188	188
189		-# Pretty print the JSON response
190		-json_pp
191		-
	162	+# Prettify the JSON response
	163	+json_pp;
192	192	{{/code}}
193	193
194	194	Note that your need to provide your client id both in the endpoint URL and within the body of the request.
195	195
196	196	{{warning}}
197		-**⚠  Each time you modify your client, a new registration access token is generated. You need to keep track of your latest token to keep access to your client.  ⚠**
	169	+/!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
198	198	{{/warning}}
	171	+
	172	+(% class="wikigeneratedid" id="HH4Won27tAppearinToC" %)
	173	+