Last modified by messines on 2022/05/25 10:11
From version 10.1
edited by messines
on 2021/11/15 14:39
Change comment: There is no comment for this version
To version 2.1
edited by mmorgan
on 2020/07/16 01:43
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -1. Registering an OIDC client
1 +Registering an OIDC client
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.messines
1 +XWiki.mmorgan
Content
... ... @@ -1,38 +13,13 @@
1 -== Must read before starting ==
2 -
3 -It's very important to choose the right type of clients and to understand the various OAuth flows.
4 -
5 -A very good documentation is this one :
6 -
7 -[[https:~~/~~/auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use>>url:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use]]
8 -
9 -and another one
10 -
11 -[[https:~~/~~/dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho>>url:https://dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho]]
12 -
13 13  == Creating your OpenID Connect client ==
14 14  
15 15  The steps to create an OpenID Connect (OIDC) client are the following:
16 16  
17 -1. Ask the developer accreditation to be authorize to create client
18 18  1. get an access token from the `developer` client
19 19  1. save your registration access token for further modifications of your client
20 20  1. use the token to call the create endpoint
21 21  
22 -==== Easiest way to create a client ====
9 +Note that a Jupyter Notebook notebook is available in the Drive of this collab to help you create and modify your OIDC client. Its name is: **//Managing an OpenID Connect client.ipynb//** [add link]
23 23  
24 -**A live exemple of client ID creation is available here on our lab**, you can perfectly use this notebook to create your client, the next steps in this documentation reproduce the content of the notebook. **The easiest solution as a user is to use this notebook to create a client** and avoid human error while executing curl request manually.
25 -
26 -[[https:~~/~~/lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb>>https://lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]]
27 -
28 -=== Ask for developer accreditation ===
29 -
30 -To be authorize to create an OIDC client you have to be accredited as developer.
31 -
32 -Please go on this page and "Request to join" the group [[https:~~/~~/wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam~~-~~-service-providers>>https://wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam--service-providers]]
33 -
34 -We will quickly process your request and you will be able to create an OIDC client
35 -
36 36  === Fetching your developer access token ===
37 37  
38 38  Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
... ... @@ -81,32 +81,31 @@
81 81  
82 82  {{code language="bash"}}
83 83  # Set your developer token
84 -clb_dev_token="eyJhbGci..."
59 +clb_dev_token=...
85 85  
86 86  # Send the creation request
87 87  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \
88 88   -H "Authorization: Bearer ${clb_dev_token}" \
89 89   -H 'Content-Type: application/json' \
90 - -d '{ "clientId": "your_client_id",
91 - "name": "Collaboratory workshop demo client edited",
65 + -d '{
66 + "clientId": "my-awesome-client",
67 + "name": "My Awesome App",
92 92   "description": "This describes what my app is for end users",
93 - "rootUrl": "https://example.org",
94 - "baseUrl": "https://example.org",
69 + "rootUrl": "https://root.url.of.my.app",
70 + "baseUrl": "/relative/path/to/its/frontpage.html",
95 95   "redirectUris": [
96 - "/login/*",
97 - "https://example.org/login/*"
72 + "/relative/redirect/path",
73 + "/these/can/use/wildcards/*"
98 98   ],
99 - "webOrigins":["http://localhost:8080","https://example.org","+"],
100 - "bearerOnly": False,
101 - "consentRequired": True,
102 - "standardFlowEnabled": True,
103 - "implicitFlowEnabled": False,
104 - "directAccessGrantsEnabled": False,
75 + "webOrigins": ["+"],
76 + "bearerOnly": false,
77 + "consentRequired": true,
78 + "standardFlowEnabled": true,
79 + "implicitFlowEnabled": true,
80 + "directAccessGrantsEnabled": false,
105 105   "attributes": {
106 106   "contacts": "first.contact@example.com; second.contact@example.com"
107 - },
108 - "defaultClientScopes": ["openid","profile","email","roles"],
109 - "optionalClientScopes": ["team","group"]
83 + }
110 110   }' |
111 111  
112 112  # Pretty print the JSON response
... ... @@ -196,3 +196,5 @@
196 196  {{warning}}
197 197  **⚠  Each time you modify your client, a new registration access token is generated. You need to keep track of your latest token to keep access to your client.  ⚠**
198 198  {{/warning}}
173 +
174 +
Table of content