Summary

• Page properties (3 modified, 0 added, 0 removed)

Details

Page properties

Title

...	...	@@ -1,1 +1,1 @@
1		-1. Registering an OIDC client
	1	+Registering an OIDC client

Author

...	...	@@ -1,1 +1,1 @@
1		-XWiki.messines
	1	+XWiki.villemai

Content

...	...	@@ -1,38 +13,13 @@
1		-== Must read before starting ==
2		-
3		-It's very important to choose the right type of clients and to understand the various OAuth flows.
4		-
5		-A very good documentation is this one :
6		-
7		-[[https:~~/~~/auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use>>url:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use]]
8		-
9		-and another one
10		-
11		-[[https:~~/~~/dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho>>url:https://dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho]]
12		-
13	13	== Creating your OpenID Connect client ==
14	14
15		-The steps to create an OpenID Connect (OIDC) client are the following:
	3	+The steps to create an OpenID Connect client are the following:
16	16
17		-1. Ask the developer accreditation to be authorize to create client
18	18	1. get an access token from the `developer` client
19		-1. save your registration access token for further modifications of your client
20	20	1. use the token to call the create endpoint
	7	+1. save your registration access token for further modifications of your client
21	21
22		-==== Easiest way to create a client ====
	9	+Note that a [[notebook>>url:https://lab.ebrains.eu/user-redirect/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]] is available to help you create and modify your OIDC client.
23	23
24		-A live exemple of client ID creation is available here on our lab, you can perfectly use this notebook to create your client, the next steps in this documentation reproduce the content of the notebook. The easiest solution as a user is to use this notebook to create a client and avoid human error while executing curl request manually.
25		-
26		-[[https:~~/~~/lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb>>https://lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]]
27		-
28		-=== Ask for developer accreditation ===
29		-
30		-To be authorize to create an OIDC client you have to be accredited as developer.
31		-
32		-Please go on this page and "Request to join" the group [[https:~~/~~/wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam~~-~~-service-providers>>https://wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam--service-providers]]
33		-
34		-We will quickly process your request and you will be able to create an OIDC client
35		-
36	36	=== Fetching your developer access token ===
37	37
38	38	Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
...	...	@@ -41,8 +41,8 @@
41	41
42	42	{{code language="bash"}}
43	43	# Gather username and password from user
44		-read -p 'Enter your username: ' clb_dev_username
45		-read -s -p 'Enter your password: ' clb_dev_pwd
	19	+echo '\nEnter your username' && read clb_dev_username &&
	20	+echo '\nEnter your password' && read -s clb_dev_pwd &&
46	46
47	47	# Fetch the token
48	48	curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \
...	...	@@ -50,12 +50,12 @@
50	50	-d 'grant_type=password' \
51	51	--data-urlencode "username=${clb_dev_username}" \
52	52	--data-urlencode "password=${clb_dev_pwd}" |
	28	+
	29	+# Prettify the JSON response
	30	+json_pp;
53	53
54		-# and pretty-print the JSON response
55		-json_pp
56		-
57	57	# Erase the credentials from local variables
58		-clb_dev_pwd=''; clb_dev_username=''
	33	+clb_dev_pwd='';clb_dev_username=''
59	59	{{/code}}
60	60
61	61	The response will be similar to:
...	...	@@ -73,7 +73,7 @@
73	73	}
74	74	{{/code}}
75	75
76		-Store a copy of the "access_token" value. You will need if for the next step.
	51	+Copy the "access_token" value, you will need if for the next step.
77	77
78	78	=== Creating the client ===
79	79
...	...	@@ -81,35 +81,34 @@
81	81
82	82	{{code language="bash"}}
83	83	# Set your developer token
84		-clb_dev_token="eyJhbGci..."
	59	+clb_dev_token=...
85	85
86	86	# Send the creation request
87	87	curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \
88	88	-H "Authorization: Bearer ${clb_dev_token}" \
89	89	-H 'Content-Type: application/json' \
90		- -d '{ "clientId": "your_client_id",
91		- "name": "Collaboratory workshop demo client edited",
	65	+ -d '{
	66	+ "clientId": "my-awesome-client",
	67	+ "name": "My Awesome App",
92	92	"description": "This describes what my app is for end users",
93		- "rootUrl": "https://example.org",
94		- "baseUrl": "https://example.org",
	69	+ "rootUrl": "https://root.url.of.my.app",
	70	+ "baseUrl": "/relative/path/to/its/frontpage.html",
95	95	"redirectUris": [
96		- "/login/*",
97		- "https://example.org/login/*"
	72	+ "/relative/redirect/path",
	73	+ "/these/can/use/wildcards/*"
98	98	],
99		- "webOrigins":["http://localhost:8080","https://example.org","+"],
100		- "bearerOnly": False,
101		- "consentRequired": True,
102		- "standardFlowEnabled": True,
103		- "implicitFlowEnabled": False,
104		- "directAccessGrantsEnabled": False,
	75	+ "webOrigins": ["+"],
	76	+ "bearerOnly": false,
	77	+ "consentRequired": true,
	78	+ "standardFlowEnabled": true,
	79	+ "implicitFlowEnabled": true,
	80	+ "directAccessGrantsEnabled": false,
105	105	"attributes": {
106	106	"contacts": "first.contact@example.com; second.contact@example.com"
107		- },
108		- "defaultClientScopes": ["openid","profile","email","roles"],
109		- "optionalClientScopes": ["team","group"]
	83	+ }
110	110	}' |
111	111
112		-# Pretty print the JSON response
	86	+# Prettify the JSON response
113	113	json_pp;
114	114	{{/code}}
115	115
...	...	@@ -161,7 +161,7 @@
161	161
162	162	Among all the attributes, you should securely save:
163	163
164		-* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making back-end calls
	138	+* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
165	165	* your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
166	166
167	167	=== Modifying your client ===
...	...	@@ -170,15 +170,14 @@
170	170
171	171	{{code language="bash"}}
172	172	# Set your registration token and client id
173		-clb_reg_token="eyJhbGciOi..."
174		-clb_client_id="my-awesome-client"
	147	+clb_reg_token=...
175	175
176		-# Update the client. Note that the client ID appears both in the endpoint URL and in the body of the request.
177		-curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/${clb_client_id} \
	149	+# Update the client
	150	+curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
178	178	-H "Authorization: Bearer ${clb_reg_token}" \
179	179	-H 'Content-Type: application/json' \
180	180	-d '{
181		- "clientId": "'${clb_client_id}'",
	154	+ "clientId": "my-awesome-client",
182	182	"redirectUris": [
183	183	"/relative/redirect/path",
184	184	"/these/can/use/wildcards/*",
...	...	@@ -186,13 +186,15 @@
186	186	]
187	187	}' |
188	188
189		-# Pretty print the JSON response
190		-json_pp
191		-
	162	+# Prettify the JSON response
	163	+json_pp;
192	192	{{/code}}
193	193
194	194	Note that your need to provide your client id both in the endpoint URL and within the body of the request.
195	195
196	196	{{warning}}
197		-**⚠  Each time you modify your client, a new registration access token is generated. You need to keep track of your latest token to keep access to your client.  ⚠**
	169	+/!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
198	198	{{/warning}}
	171	+
	172	+(% class="wikigeneratedid" id="HH4Won27tAppearinToC" %)
	173	+