Wiki source code of 1. Registering an OIDC client
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
4.1 | 1 | == Must read before starting == |
| 2 | |||
| 3 | It's very important to choose the right type of clients and to understand the various OAuth flows. | ||
| 4 | |||
| 5 | A very good documentation is this one : | ||
| 6 | |||
| 7 | [[https:~~/~~/auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use>>url:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use]] | ||
| 8 | |||
| 9 | and another one | ||
| 10 | |||
| 11 | [[https:~~/~~/dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho>>url:https://dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho]] | ||
| 12 | |||
| |
1.1 | 13 | == Creating your OpenID Connect client == |
| 14 | |||
| |
2.1 | 15 | The steps to create an OpenID Connect (OIDC) client are the following: |
| |
1.1 | 16 | |
| |
5.1 | 17 | 1. Ask the developer accreditation to be authorize to create client |
| |
1.1 | 18 | 1. get an access token from the `developer` client |
| |
2.1 | 19 | 1. save your registration access token for further modifications of your client |
| |
1.1 | 20 | 1. use the token to call the create endpoint |
| 21 | |||
| |
9.1 | 22 | ==== Easiest way to create a client ==== |
| |
1.1 | 23 | |
| |
10.1 | 24 | **A live exemple of client ID creation is available here on our lab**, you can perfectly use this notebook to create your client, the next steps in this documentation reproduce the content of the notebook. **The easiest solution as a user is to use this notebook to create a client** and avoid human error while executing curl request manually. |
| |
9.1 | 25 | |
| 26 | [[https:~~/~~/lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb>>https://lab.ebrains.eu/user/user-redirect/lab/tree/shared/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]] | ||
| 27 | |||
| |
5.1 | 28 | === Ask for developer accreditation === |
| 29 | |||
| 30 | To be authorize to create an OIDC client you have to be accredited as developer. | ||
| 31 | |||
| 32 | Please go on this page and "Request to join" the group [[https:~~/~~/wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam~~-~~-service-providers>>https://wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam--service-providers]] | ||
| 33 | |||
| 34 | We will quickly process your request and you will be able to create an OIDC client | ||
| 35 | |||
| |
1.1 | 36 | === Fetching your developer access token === |
| 37 | |||
| 38 | Getting your developer token is done in one simple step: authenticate against the developer client with the password grant. | ||
| 39 | |||
| 40 | This can be achieved with this sample shell script: | ||
| 41 | |||
| 42 | {{code language="bash"}} | ||
| 43 | # Gather username and password from user | ||
| |
2.1 | 44 | read -p 'Enter your username: ' clb_dev_username |
| 45 | read -s -p 'Enter your password: ' clb_dev_pwd | ||
| |
1.1 | 46 | |
| 47 | # Fetch the token | ||
| 48 | curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \ | ||
| 49 | -u developer: \ | ||
| 50 | -d 'grant_type=password' \ | ||
| 51 | --data-urlencode "username=${clb_dev_username}" \ | ||
| 52 | --data-urlencode "password=${clb_dev_pwd}" | | ||
| 53 | |||
| |
2.1 | 54 | # and pretty-print the JSON response |
| 55 | json_pp | ||
| 56 | |||
| |
1.1 | 57 | # Erase the credentials from local variables |
| |
2.1 | 58 | clb_dev_pwd=''; clb_dev_username='' |
| |
1.1 | 59 | {{/code}} |
| 60 | |||
| 61 | The response will be similar to: | ||
| 62 | |||
| 63 | {{code language="json"}} | ||
| 64 | { | ||
| 65 | "access_token": "eyJhbGci...", | ||
| 66 | "expires_in": 108000, | ||
| 67 | "refresh_expires_in": 14400, | ||
| 68 | "refresh_token": "eyJhbGci...", | ||
| 69 | "token_type": "bearer", | ||
| 70 | "not-before-policy": 1563261088, | ||
| 71 | "session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8", | ||
| 72 | "scope": "" | ||
| 73 | } | ||
| 74 | {{/code}} | ||
| 75 | |||
| |
2.1 | 76 | Store a copy of the "access_token" value. You will need if for the next step. |
| |
1.1 | 77 | |
| 78 | === Creating the client === | ||
| 79 | |||
| 80 | You can now create clients by sending a JSON representation to a specific endpoint: | ||
| 81 | |||
| 82 | {{code language="bash"}} | ||
| 83 | # Set your developer token | ||
| |
3.1 | 84 | clb_dev_token="eyJhbGci..." |
| |
1.1 | 85 | |
| 86 | # Send the creation request | ||
| 87 | curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \ | ||
| 88 | -H "Authorization: Bearer ${clb_dev_token}" \ | ||
| 89 | -H 'Content-Type: application/json' \ | ||
| |
8.1 | 90 | -d '{ "clientId": "your_client_id", |
| 91 | "name": "Collaboratory workshop demo client edited", | ||
| |
1.1 | 92 | "description": "This describes what my app is for end users", |
| |
8.1 | 93 | "rootUrl": "https://example.org", |
| 94 | "baseUrl": "https://example.org", | ||
| |
1.1 | 95 | "redirectUris": [ |
| |
8.1 | 96 | "/login/*", |
| 97 | "https://example.org/login/*" | ||
| |
1.1 | 98 | ], |
| |
8.1 | 99 | "webOrigins":["http://localhost:8080","https://example.org","+"], |
| 100 | "bearerOnly": False, | ||
| 101 | "consentRequired": True, | ||
| 102 | "standardFlowEnabled": True, | ||
| 103 | "implicitFlowEnabled": False, | ||
| 104 | "directAccessGrantsEnabled": False, | ||
| |
1.1 | 105 | "attributes": { |
| 106 | "contacts": "first.contact@example.com; second.contact@example.com" | ||
| |
8.1 | 107 | }, |
| 108 | "defaultClientScopes": ["openid","profile","email","roles"], | ||
| 109 | "optionalClientScopes": ["team","group"] | ||
| |
1.1 | 110 | }' | |
| 111 | |||
| |
2.1 | 112 | # Pretty print the JSON response |
| |
1.1 | 113 | json_pp; |
| 114 | {{/code}} | ||
| 115 | |||
| 116 | In case of success, the endpoint will return its representation of your client: | ||
| 117 | |||
| 118 | {{code language="json"}} | ||
| 119 | { | ||
| 120 | "defaultClientScopes" : [ | ||
| 121 | "web-origins", | ||
| 122 | "roles" | ||
| 123 | ], | ||
| 124 | "redirectUris" : [ | ||
| 125 | "/relative/redirect/path", | ||
| 126 | "/these/can/use/wildcards/*" | ||
| 127 | ], | ||
| 128 | "nodeReRegistrationTimeout" : -1, | ||
| 129 | "rootUrl" : "https://root.url.of.my.app", | ||
| 130 | "webOrigins" : [ | ||
| 131 | "+" | ||
| 132 | ], | ||
| 133 | "authenticationFlowBindingOverrides" : {}, | ||
| 134 | "baseUrl" : "/relative/path/to/its/frontpage.html", | ||
| 135 | "description" : "This describes what my app is for end users", | ||
| 136 | "notBefore" : 0, | ||
| 137 | "frontchannelLogout" : false, | ||
| 138 | "enabled" : true, | ||
| 139 | "registrationAccessToken" : "eyJhbGciOi...", | ||
| 140 | "consentRequired" : true, | ||
| 141 | "fullScopeAllowed" : false, | ||
| 142 | "clientAuthenticatorType" : "client-secret", | ||
| 143 | "surrogateAuthRequired" : false, | ||
| 144 | "directAccessGrantsEnabled" : false, | ||
| 145 | "standardFlowEnabled" : true, | ||
| 146 | "id" : "551b49a0-ec69-41af-9461-6c10fbc79a35", | ||
| 147 | "attributes" : { | ||
| 148 | "contacts" : "first.contact@example.com; second.contact@example.com" | ||
| 149 | }, | ||
| 150 | "name" : "My Awesome App", | ||
| 151 | "secret" : "your-client-secret", | ||
| 152 | "publicClient" : false, | ||
| 153 | "clientId" : "my-awesome-client", | ||
| 154 | "optionalClientScopes" : [], | ||
| 155 | "implicitFlowEnabled" : true, | ||
| 156 | "protocol" : "openid-connect", | ||
| 157 | "bearerOnly" : false, | ||
| 158 | "serviceAccountsEnabled" : false | ||
| 159 | } | ||
| 160 | {{/code}} | ||
| 161 | |||
| 162 | Among all the attributes, you should securely save: | ||
| 163 | |||
| |
2.1 | 164 | * your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making back-end calls |
| |
1.1 | 165 | * your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future** |
| 166 | |||
| 167 | === Modifying your client === | ||
| 168 | |||
| 169 | Update your client with a PUT request: | ||
| 170 | |||
| 171 | {{code language="bash"}} | ||
| 172 | # Set your registration token and client id | ||
| |
2.1 | 173 | clb_reg_token="eyJhbGciOi..." |
| 174 | clb_client_id="my-awesome-client" | ||
| |
1.1 | 175 | |
| |
2.1 | 176 | # Update the client. Note that the client ID appears both in the endpoint URL and in the body of the request. |
| 177 | curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/${clb_client_id} \ | ||
| |
1.1 | 178 | -H "Authorization: Bearer ${clb_reg_token}" \ |
| 179 | -H 'Content-Type: application/json' \ | ||
| 180 | -d '{ | ||
| |
2.1 | 181 | "clientId": "'${clb_client_id}'", |
| |
1.1 | 182 | "redirectUris": [ |
| 183 | "/relative/redirect/path", | ||
| 184 | "/these/can/use/wildcards/*", | ||
| 185 | "/a/new/redirect/uri" | ||
| 186 | ] | ||
| 187 | }' | | ||
| 188 | |||
| |
2.1 | 189 | # Pretty print the JSON response |
| 190 | json_pp | ||
| 191 | |||
| |
1.1 | 192 | {{/code}} |
| 193 | |||
| 194 | Note that your need to provide your client id both in the endpoint URL and within the body of the request. | ||
| 195 | |||
| 196 | {{warning}} | ||
| |
2.1 | 197 | **⚠ Each time you modify your client, a new registration access token is generated. You need to keep track of your latest token to keep access to your client. ⚠** |
| |
1.1 | 198 | {{/warning}} |