Last modified by bougault on 2022/03/02 11:58
From version 27.1
edited by villemai
on 2020/05/04 16:16
Change comment: There is no comment for this version
To version 24.1
edited by allan
on 2020/03/04 10:49
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.villemai
1 +XWiki.allan
Content
... ... @@ -6,7 +6,7 @@
6 6  
7 7  The first step is for you to **get the developer accreditation**. Contributors can register and manage applications within the Community Apps Catalogue.
8 8  
9 -Send an email to [[support@ebrains.eu>>mailto:support@ebrains.eu]] with a short summary of your intentions.
9 +Send an email to [[support@humanbrainproject.eu>>mailto:support@humanbrainproject.eu]] with a short summary of your intentions.
10 10  
11 11  The support team will apply the permissions to your user: your account will be [[upgraded with developers privileges>>doc:Collabs.collab-devs.collaboratory-v2.keycloak.user administration.WebHome]] the next time you will login.
12 12  
... ... @@ -74,7 +74,7 @@
74 74   setting2: 'setting 2 value',
75 75   // ...
76 76   // reload: false // avoid page reload on settings change
77 - }}, 'https://wiki.ebrains.eu');
77 + }}, 'https://wiki.humanbrainproject.eu');
78 78  {{/code}}
79 79  
80 80  === Fetching settings ===
... ... @@ -83,4 +83,171 @@
83 83  
84 84  == Creating your OpenID Connect client ==
85 85  
86 -See the instructions [[here>>doc:.Registering an OIDC client.WebHome]].
86 +The steps to create an OpenID Connect client are the following:
87 +
88 +1. get an access token from the `developer` client
89 +1. use the token to call the create endpoint
90 +1. save your registration access token for further modifications of your client
91 +
92 +Note that a [[notebook>>https://lab.humanbrainproject.eu/user/allan/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb||rel="noopener noreferrer" target="_blank"]] is available to help you create and modify your OIDC client.
93 +
94 +=== Fetching your developer access token ===
95 +
96 +Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
97 +
98 +This can be achieved with this sample shell script:
99 +
100 +{{code language="bash"}}
101 +# Gather username and password from user
102 +echo '\nEnter your username' && read clb_dev_username &&
103 +echo '\nEnter your password' && read -s clb_dev_pwd &&
104 +
105 +# Fetch the token
106 +curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \
107 + -u developer: \
108 + -d 'grant_type=password' \
109 + --data-urlencode "username=${clb_dev_username}" \
110 + --data-urlencode "password=${clb_dev_pwd}" |
111 +
112 +# Prettify the JSON response
113 +json_pp;
114 +
115 +# Erase the credentials from local variables
116 +clb_dev_pwd='';clb_dev_username=''
117 +{{/code}}
118 +
119 +The response will be similar to:
120 +
121 +{{code language="json"}}
122 +{
123 + "access_token": "eyJhbGci...",
124 + "expires_in": 108000,
125 + "refresh_expires_in": 14400,
126 + "refresh_token": "eyJhbGci...",
127 + "token_type": "bearer",
128 + "not-before-policy": 1563261088,
129 + "session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8",
130 + "scope": ""
131 +}
132 +{{/code}}
133 +
134 +Copy the "access_token" value, you will need if for the next step.
135 +
136 +=== Creating the client ===
137 +
138 +You can now create clients by sending a JSON representation to a specific endpoint:
139 +
140 +{{code language="bash"}}
141 +# Set your developer token
142 +clb_dev_token=...
143 +
144 +# Send the creation request
145 +curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/ \
146 + -H "Authorization: Bearer ${clb_dev_token}" \
147 + -H 'Content-Type: application/json' \
148 + -d '{
149 + "clientId": "my-awesome-client",
150 + "name": "My Awesome App",
151 + "description": "This describes what my app is for end users",
152 + "rootUrl": "https://root.url.of.my.app",
153 + "baseUrl": "/relative/path/to/its/frontpage.html",
154 + "redirectUris": [
155 + "/relative/redirect/path",
156 + "/these/can/use/wildcards/*"
157 + ],
158 + "webOrigins": ["+"],
159 + "bearerOnly": false,
160 + "consentRequired": true,
161 + "standardFlowEnabled": true,
162 + "implicitFlowEnabled": true,
163 + "directAccessGrantsEnabled": false,
164 + "attributes": {
165 + "contacts": "first.contact@example.com; second.contact@example.com"
166 + }
167 + }' |
168 +
169 +# Prettify the JSON response
170 +json_pp;
171 +{{/code}}
172 +
173 +In case of success, the endpoint will return its representation of your client:
174 +
175 +{{code language="json"}}
176 +{
177 + "defaultClientScopes" : [
178 + "web-origins",
179 + "roles"
180 + ],
181 + "redirectUris" : [
182 + "/relative/redirect/path",
183 + "/these/can/use/wildcards/*"
184 + ],
185 + "nodeReRegistrationTimeout" : -1,
186 + "rootUrl" : "https://root.url.of.my.app",
187 + "webOrigins" : [
188 + "+"
189 + ],
190 + "authenticationFlowBindingOverrides" : {},
191 + "baseUrl" : "/relative/path/to/its/frontpage.html",
192 + "description" : "This describes what my app is for end users",
193 + "notBefore" : 0,
194 + "frontchannelLogout" : false,
195 + "enabled" : true,
196 + "registrationAccessToken" : "eyJhbGciOi...",
197 + "consentRequired" : true,
198 + "fullScopeAllowed" : false,
199 + "clientAuthenticatorType" : "client-secret",
200 + "surrogateAuthRequired" : false,
201 + "directAccessGrantsEnabled" : false,
202 + "standardFlowEnabled" : true,
203 + "id" : "551b49a0-ec69-41af-9461-6c10fbc79a35",
204 + "attributes" : {
205 + "contacts" : "first.contact@example.com; second.contact@example.com"
206 + },
207 + "name" : "My Awesome App",
208 + "secret" : "your-client-secret",
209 + "publicClient" : false,
210 + "clientId" : "my-awesome-client",
211 + "optionalClientScopes" : [],
212 + "implicitFlowEnabled" : true,
213 + "protocol" : "openid-connect",
214 + "bearerOnly" : false,
215 + "serviceAccountsEnabled" : false
216 +}
217 +{{/code}}
218 +
219 +Among all the attributes, you should securely save:
220 +
221 +* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
222 +* your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
223 +
224 +=== Modifying your client ===
225 +
226 +Update your client with a PUT request:
227 +
228 +{{code language="bash"}}
229 +# Set your registration token and client id
230 +clb_reg_token=...
231 +
232 +# Update the client
233 +curl -X PUT https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
234 + -H "Authorization: Bearer ${clb_reg_token}" \
235 + -H 'Content-Type: application/json' \
236 + -d '{
237 + "clientId": "my-awesome-client",
238 + "redirectUris": [
239 + "/relative/redirect/path",
240 + "/these/can/use/wildcards/*",
241 + "/a/new/redirect/uri"
242 + ]
243 + }' |
244 +
245 +# Prettify the JSON response
246 +json_pp;
247 +{{/code}}
248 +
249 + Note that your need to provide your client id both in the endpoint URL and within the body of the request.
250 +
251 +{{warning}}
252 +/!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
253 +{{/warning}}