Summary

• Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

...	...	@@ -20,145 +20,3 @@
20	20	== Registering an application in the Catalogue ==
21	21
22	22	The Community Apps Catalogue is the place where collab authors look for applications to add to their collabs.
23		-
24		-{{error}}
25		-TODO: describe the steps to register an app in the Catalogue
26		-{{/error}}
27		-
28		-== Creating your OpenID Connect client ==
29		-
30		-The steps to create an OpenID Connect client are the following:
31		-
32		-* get an access token from the `developer` client
33		-* use the token to call the create endpoint
34		-* save your registration access token for further modifications of your client
35		-
36		-=== Fetching your developer access token ===
37		-
38		-In order to get your developer token, you need to authenticate against the developer client with the password grant.
39		-
40		-This can be achieved with this sample bash script:
41		-
42		-{{code language="bash"}}
43		-# Gather username and password from user
44		-echo '\nEnter your username' && read clb_dev_username &&
45		-echo '\nEnter your password' && read -s clb_dev_pwd &&
46		-
47		-# Fetch the token
48		-curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \
49		- -u developer: \
50		- -d 'grant_type=password' \
51		- -d "username=${clb_dev_username}" \
52		- -d "password=${clb_dev_pwd}" |
53		-
54		-# Prettify the JSON response
55		-json_pp;
56		-
57		-# Erase the credentials from local variables
58		-clb_dev_pwd='';clb_dev_username=''
59		-{{/code}}
60		-
61		-The response will be similar to:
62		-
63		-{{code language="json"}}
64		-{
65		- "access_token": "eyJhbGci...",
66		- "expires_in": 108000,
67		- "refresh_expires_in": 14400,
68		- "refresh_token": "eyJhbGci...",
69		- "token_type": "bearer",
70		- "not-before-policy": 1563261088,
71		- "session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8",
72		- "scope": ""
73		-}
74		-{{/code}}
75		-
76		-Copy the "access_token" value, it is the one that will be needed for the next step.
77		-
78		-=== Creating the client ===
79		-
80		-Clients can be created by sending a JSON representation to a specific endpoint:
81		-
82		-{{code language="bash"}}
83		-# Set your developer token
84		-clb_dev_token=...
85		-
86		-# Send the creation request
87		-curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/ \
88		- -H "Authorization: Bearer ${clb_dev_token}" \
89		- -H 'Content-Type: application/json' \
90		- -d '{
91		- "clientId": "my-awesome-client",
92		- "name": "My Awesome App",
93		- "description": "This describes what my app is for end users",
94		- "rootUrl": "https://root.url.of.my.app",
95		- "baseUrl": "/relative/path/to/its/frontpage.html",
96		- "redirectUris": [
97		- "/relative/redirect/path",
98		- "/these/can/use/wildcards/*"
99		- ],
100		- "webOrigins": ["+"],
101		- "bearerOnly": false,
102		- "consentRequired": true,
103		- "standardFlowEnabled": true,
104		- "implicitFlowEnabled": true,
105		- "directAccessGrantsEnabled": false,
106		- "attributes": {
107		- "contacts": "first.contact@example.com; second.contact@example.com"
108		- }
109		- }' |
110		-
111		-# Prettify the JSON response
112		-json_pp;
113		-{{/code}}
114		-
115		-In case of success, the endpoint will return its representation of your client:
116		-
117		-{{code language="json"}}
118		-{
119		- "defaultClientScopes" : [
120		- "web-origins",
121		- "roles"
122		- ],
123		- "redirectUris" : [
124		- "/relative/redirect/path",
125		- "/these/can/use/wildcards/*"
126		- ],
127		- "nodeReRegistrationTimeout" : -1,
128		- "rootUrl" : "https://root.url.of.my.app",
129		- "webOrigins" : [
130		- "+"
131		- ],
132		- "authenticationFlowBindingOverrides" : {},
133		- "baseUrl" : "/relative/path/to/its/frontpage.html",
134		- "description" : "This describes what my app is for end users",
135		- "notBefore" : 0,
136		- "frontchannelLogout" : false,
137		- "enabled" : true,
138		- "registrationAccessToken" : "eyJhbGciOi...",
139		- "consentRequired" : true,
140		- "fullScopeAllowed" : false,
141		- "clientAuthenticatorType" : "client-secret",
142		- "surrogateAuthRequired" : false,
143		- "directAccessGrantsEnabled" : false,
144		- "standardFlowEnabled" : true,
145		- "id" : "551b49a0-ec69-41af-9461-6c10fbc79a35",
146		- "attributes" : {
147		- "contacts" : "first.contact@example.com; second.contact@example.com"
148		- },
149		- "name" : "My Awesome App",
150		- "secret" : "your-client-secret",
151		- "publicClient" : false,
152		- "clientId" : "my-awesome-client",
153		- "optionalClientScopes" : [],
154		- "implicitFlowEnabled" : true,
155		- "protocol" : "openid-connect",
156		- "bearerOnly" : false,
157		- "serviceAccountsEnabled" : false
158		-}
159		-{{/code}}
160		-
161		-Among all the attributes, you should securely save:
162		-
163		-* your client secret ("secret" attribute) which is needed by your application to authenticate to the IAM server when making backend calls
164		-* your client registration access token ("registrationAccessToken")  which is the token you will need to authenticate when modifying your client in the future