Attention: Jupyter services at CINECA will be unavailable tomorrow, Thursday 16th October, for up to 1 hour for maintenance. You can still select Jupyter in JSC for your workloads. Thank you for your understanding


Wiki source code of Registering an OIDC client

Version 1.1 by villemai on 2020/05/04 16:15
Show last authors
1 == Creating your OpenID Connect client ==
2
3 The steps to create an OpenID Connect client are the following:
4
5 1. get an access token from the `developer` client
6 1. use the token to call the create endpoint
7 1. save your registration access token for further modifications of your client
8
9 Note that a [[notebook>>url:https://lab.ebrains.eu/user-redirect/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]] is available to help you create and modify your OIDC client.
10
11 === Fetching your developer access token ===
12
13 Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
14
15 This can be achieved with this sample shell script:
16
17 {{code language="bash"}}
18 # Gather username and password from user
19 echo '\nEnter your username' && read clb_dev_username &&
20 echo '\nEnter your password' && read -s clb_dev_pwd &&
21
22 # Fetch the token
23 curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \
24 -u developer: \
25 -d 'grant_type=password' \
26 --data-urlencode "username=${clb_dev_username}" \
27 --data-urlencode "password=${clb_dev_pwd}" |
28
29 # Prettify the JSON response
30 json_pp;
31
32 # Erase the credentials from local variables
33 clb_dev_pwd='';clb_dev_username=''
34 {{/code}}
35
36 The response will be similar to:
37
38 {{code language="json"}}
39 {
40 "access_token": "eyJhbGci...",
41 "expires_in": 108000,
42 "refresh_expires_in": 14400,
43 "refresh_token": "eyJhbGci...",
44 "token_type": "bearer",
45 "not-before-policy": 1563261088,
46 "session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8",
47 "scope": ""
48 }
49 {{/code}}
50
51 Copy the "access_token" value, you will need if for the next step.
52
53 === Creating the client ===
54
55 You can now create clients by sending a JSON representation to a specific endpoint:
56
57 {{code language="bash"}}
58 # Set your developer token
59 clb_dev_token=...
60
61 # Send the creation request
62 curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \
63 -H "Authorization: Bearer ${clb_dev_token}" \
64 -H 'Content-Type: application/json' \
65 -d '{
66 "clientId": "my-awesome-client",
67 "name": "My Awesome App",
68 "description": "This describes what my app is for end users",
69 "rootUrl": "https://root.url.of.my.app",
70 "baseUrl": "/relative/path/to/its/frontpage.html",
71 "redirectUris": [
72 "/relative/redirect/path",
73 "/these/can/use/wildcards/*"
74 ],
75 "webOrigins": ["+"],
76 "bearerOnly": false,
77 "consentRequired": true,
78 "standardFlowEnabled": true,
79 "implicitFlowEnabled": true,
80 "directAccessGrantsEnabled": false,
81 "attributes": {
82 "contacts": "first.contact@example.com; second.contact@example.com"
83 }
84 }' |
85
86 # Prettify the JSON response
87 json_pp;
88 {{/code}}
89
90 In case of success, the endpoint will return its representation of your client:
91
92 {{code language="json"}}
93 {
94 "defaultClientScopes" : [
95 "web-origins",
96 "roles"
97 ],
98 "redirectUris" : [
99 "/relative/redirect/path",
100 "/these/can/use/wildcards/*"
101 ],
102 "nodeReRegistrationTimeout" : -1,
103 "rootUrl" : "https://root.url.of.my.app",
104 "webOrigins" : [
105 "+"
106 ],
107 "authenticationFlowBindingOverrides" : {},
108 "baseUrl" : "/relative/path/to/its/frontpage.html",
109 "description" : "This describes what my app is for end users",
110 "notBefore" : 0,
111 "frontchannelLogout" : false,
112 "enabled" : true,
113 "registrationAccessToken" : "eyJhbGciOi...",
114 "consentRequired" : true,
115 "fullScopeAllowed" : false,
116 "clientAuthenticatorType" : "client-secret",
117 "surrogateAuthRequired" : false,
118 "directAccessGrantsEnabled" : false,
119 "standardFlowEnabled" : true,
120 "id" : "551b49a0-ec69-41af-9461-6c10fbc79a35",
121 "attributes" : {
122 "contacts" : "first.contact@example.com; second.contact@example.com"
123 },
124 "name" : "My Awesome App",
125 "secret" : "your-client-secret",
126 "publicClient" : false,
127 "clientId" : "my-awesome-client",
128 "optionalClientScopes" : [],
129 "implicitFlowEnabled" : true,
130 "protocol" : "openid-connect",
131 "bearerOnly" : false,
132 "serviceAccountsEnabled" : false
133 }
134 {{/code}}
135
136 Among all the attributes, you should securely save:
137
138 * your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
139 * your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
140
141 === Modifying your client ===
142
143 Update your client with a PUT request:
144
145 {{code language="bash"}}
146 # Set your registration token and client id
147 clb_reg_token=...
148
149 # Update the client
150 curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
151 -H "Authorization: Bearer ${clb_reg_token}" \
152 -H 'Content-Type: application/json' \
153 -d '{
154 "clientId": "my-awesome-client",
155 "redirectUris": [
156 "/relative/redirect/path",
157 "/these/can/use/wildcards/*",
158 "/a/new/redirect/uri"
159 ]
160 }' |
161
162 # Prettify the JSON response
163 json_pp;
164 {{/code}}
165
166 Note that your need to provide your client id both in the endpoint URL and within the body of the request.
167
168 {{warning}}
169 /!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
170 {{/warning}}
171
172 (% class="wikigeneratedid" id="HH4Won27tAppearinToC" %)
173
Table of content