Wiki source code of Community App Developer Guide

Version 25.1 by allan on 2020/03/04 10:58
Hide last authors
allan 4.3 1 Developers can extend the Collaboratory capabilities by providing applications to its community of users.
allan 1.1 2
allan 4.3 3 This guide describes the steps to make this possible.
allan 1.1 4
5 == Becoming a contributor ==
6
allan 9.1 7 The first step is for you to **get the developer accreditation**. Contributors can register and manage applications within the Community Apps Catalogue.
allan 1.1 8
allan 4.3 9 Send an email to [[support@humanbrainproject.eu>>mailto:support@humanbrainproject.eu]] with a short summary of your intentions.
allan 1.1 10
fabricegaillard 20.1 11 The support team will apply the permissions to your user: your account will be [[upgraded with developers privileges>>doc:Collabs.collab-devs.collaboratory-v2.keycloak.user administration.WebHome]] the next time you will login.
allan 1.1 12
13 (% class="box infomessage" %)
14 (((
allan 9.1 15 Only SGA2 accredited users will be automatically granted the developer accreditation.
allan 1.1 16 )))
17
allan 10.1 18 == Making your app available to users ==
allan 1.1 19
allan 21.1 20 In order for you application to be installable by users, it needs to be registered within the [[Community Apps Catalogue>>doc:Apps.WebHome]].
allan 2.1 21
allan 10.1 22 Once this simple step is complete, users will be able to install your app within their collabs.
23
24 === Registering an application in the Catalogue ===
25
allan 21.1 26 Navigate to the catalogue and click on **+Create App** in the top right corner. Enter a name for your app and click on **Create**.
allan 2.1 27
allan 21.1 28 Fill the form with the following information:
allan 9.1 29
allan 21.1 30 * **main URL**: the URL of the homepage of your app. This is where user will be directed when then open your app in a collab.
31 * **settings URL**: the URL of the your settings management page if you have one.
32 * **description**: a description of what your app does to help users select it.
33 * **under development?**: should be checked if you don't want your app to be available by default by other users.
34 * **category**: a category to help structuring the applications.
35 * **maintainers**: a list of users who maintain the app. The users need to have logged in the wiki at least once to be found. Maintainers are granted the right to modify an app registration.
36 * **documentation URL**: if your app has online user documentation, a link will be provided to users when they use your app.
37 * **repository**: a URL to a public repository so users can check the sources of your app.
allan 9.1 38
allan 21.1 39 Click on **Save**. Your app is now registered and waiting for users to install it!
allan 9.1 40
allan 21.1 41 === Installing your app in a collab ===
allan 10.1 42
allan 21.1 43 1. In order to install your app, you need to navigate to a collab where you have either the **editor** or **administrator** role.
44 1. Click on **Create**. Enter a title for this instance of your app and select **Community App** in the right selector.
45 1. Click on **Create**. You will be presented with the Community App Catalogue. The app you will see are the public apps and the ones your a maintainer of.
46 1. Select your app and click on **Save and View**.
allan 10.1 47
allan 21.1 48 You should now see how your app looks like within a collab.
allan 10.1 49
allan 11.1 50 == Getting your app instance context ==
51
52 Instances of your applications will be installed by collab authors in many different collabs. In order to let you customise the user experience based on its context, the Collaboratory will automatically pass query parameters to your app:
53
allan 22.1 54 * **##clb-collab-id##**: the unique, human-readable identifier of the collab.
55 * ##**clb-doc-path**##: the path of your app instance within the collab. If your app is at the root of a collab, this value will be empty.
56 * ##**clb-doc-name**##: the name of the document where your app instance is installed.
57 * ##**clb-drive-id**##: the unique identifier of the drive of the collab. This id is required if you want to fetch or store documents within the drive of the collab.
allan 11.1 58
allan 22.1 59 == App settings ==
allan 14.1 60
allan 22.1 61 The app settings are the values the collab author can modify to change the behaviour of your application within her collab.
allan 14.1 62
63 === Writing settings ===
64
allan 22.1 65 The Collaboratory comes with a mechanism to let your app store these settings directly in the Collaboratory.
allan 14.1 66
allan 22.1 67 In order to do that, your app needs to use the [[postMessage javascript API>>https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage]] to send the settings to store to the Collaboratory:
allan 14.1 68
69 {{code language="javascript"}}
70 window.parent.postMessage({
71 topic: '/clb/community-app/settings',
72 data: {
73 setting1: 'setting 1 value',
74 setting2: 'setting 2 value',
bougault 17.1 75 // ...
bougault 18.1 76 // reload: false // avoid page reload on settings change
bougault 16.1 77 }}, 'https://wiki.humanbrainproject.eu');
allan 14.1 78 {{/code}}
79
80 === Fetching settings ===
81
82 The Collaboratory will get the settings from its key/value store and pass them to your app through query parameters.
83
allan 2.1 84 == Creating your OpenID Connect client ==
85
86 The steps to create an OpenID Connect client are the following:
87
allan 3.2 88 1. get an access token from the `developer` client
89 1. use the token to call the create endpoint
90 1. save your registration access token for further modifications of your client
allan 2.1 91
allan 25.1 92 Note that a [[notebook>>https://lab.humanbrainproject.eu/user-redirect/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb||rel="noopener noreferrer" target="_blank"]] is available to help you create and modify your OIDC client.
allan 23.1 93
allan 2.1 94 === Fetching your developer access token ===
95
allan 4.3 96 Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
allan 2.1 97
allan 3.2 98 This can be achieved with this sample shell script:
allan 2.1 99
100 {{code language="bash"}}
101 # Gather username and password from user
allan 2.2 102 echo '\nEnter your username' && read clb_dev_username &&
103 echo '\nEnter your password' && read -s clb_dev_pwd &&
allan 2.1 104
105 # Fetch the token
106 curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \
107 -u developer: \
108 -d 'grant_type=password' \
allan 19.1 109 --data-urlencode "username=${clb_dev_username}" \
110 --data-urlencode "password=${clb_dev_pwd}" |
allan 2.2 111
112 # Prettify the JSON response
113 json_pp;
allan 2.1 114
115 # Erase the credentials from local variables
116 clb_dev_pwd='';clb_dev_username=''
117 {{/code}}
118
119 The response will be similar to:
120
121 {{code language="json"}}
122 {
123 "access_token": "eyJhbGci...",
124 "expires_in": 108000,
125 "refresh_expires_in": 14400,
126 "refresh_token": "eyJhbGci...",
127 "token_type": "bearer",
128 "not-before-policy": 1563261088,
129 "session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8",
130 "scope": ""
131 }
132 {{/code}}
133
allan 4.3 134 Copy the "access_token" value, you will need if for the next step.
allan 2.2 135
136 === Creating the client ===
137
allan 4.3 138 You can now create clients by sending a JSON representation to a specific endpoint:
allan 2.3 139
140 {{code language="bash"}}
141 # Set your developer token
142 clb_dev_token=...
143
144 # Send the creation request
145 curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/ \
146 -H "Authorization: Bearer ${clb_dev_token}" \
147 -H 'Content-Type: application/json' \
148 -d '{
149 "clientId": "my-awesome-client",
150 "name": "My Awesome App",
151 "description": "This describes what my app is for end users",
152 "rootUrl": "https://root.url.of.my.app",
153 "baseUrl": "/relative/path/to/its/frontpage.html",
154 "redirectUris": [
155 "/relative/redirect/path",
156 "/these/can/use/wildcards/*"
157 ],
158 "webOrigins": ["+"],
159 "bearerOnly": false,
160 "consentRequired": true,
161 "standardFlowEnabled": true,
162 "implicitFlowEnabled": true,
163 "directAccessGrantsEnabled": false,
164 "attributes": {
165 "contacts": "first.contact@example.com; second.contact@example.com"
166 }
167 }' |
168
169 # Prettify the JSON response
170 json_pp;
171 {{/code}}
172
173 In case of success, the endpoint will return its representation of your client:
174
175 {{code language="json"}}
176 {
177 "defaultClientScopes" : [
178 "web-origins",
179 "roles"
180 ],
181 "redirectUris" : [
182 "/relative/redirect/path",
183 "/these/can/use/wildcards/*"
184 ],
185 "nodeReRegistrationTimeout" : -1,
186 "rootUrl" : "https://root.url.of.my.app",
187 "webOrigins" : [
188 "+"
189 ],
190 "authenticationFlowBindingOverrides" : {},
191 "baseUrl" : "/relative/path/to/its/frontpage.html",
192 "description" : "This describes what my app is for end users",
193 "notBefore" : 0,
194 "frontchannelLogout" : false,
195 "enabled" : true,
196 "registrationAccessToken" : "eyJhbGciOi...",
197 "consentRequired" : true,
198 "fullScopeAllowed" : false,
199 "clientAuthenticatorType" : "client-secret",
200 "surrogateAuthRequired" : false,
201 "directAccessGrantsEnabled" : false,
202 "standardFlowEnabled" : true,
203 "id" : "551b49a0-ec69-41af-9461-6c10fbc79a35",
204 "attributes" : {
205 "contacts" : "first.contact@example.com; second.contact@example.com"
206 },
207 "name" : "My Awesome App",
208 "secret" : "your-client-secret",
209 "publicClient" : false,
210 "clientId" : "my-awesome-client",
211 "optionalClientScopes" : [],
212 "implicitFlowEnabled" : true,
213 "protocol" : "openid-connect",
214 "bearerOnly" : false,
215 "serviceAccountsEnabled" : false
216 }
217 {{/code}}
218
219 Among all the attributes, you should securely save:
220
allan 4.3 221 * your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
222 * your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
allan 4.1 223
224 === Modifying your client ===
225
allan 4.3 226 Update your client with a PUT request:
allan 4.1 227
228 {{code language="bash"}}
229 # Set your registration token and client id
230 clb_reg_token=...
231
232 # Update the client
233 curl -X PUT https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
234 -H "Authorization: Bearer ${clb_reg_token}" \
235 -H 'Content-Type: application/json' \
236 -d '{
237 "clientId": "my-awesome-client",
238 "redirectUris": [
239 "/relative/redirect/path",
240 "/these/can/use/wildcards/*",
241 "/a/new/redirect/uri"
242 ]
243 }' |
244
245 # Prettify the JSON response
246 json_pp;
247 {{/code}}
allan 4.2 248
allan 4.3 249 Note that your need to provide your client id both in the endpoint URL and within the body of the request.
allan 4.2 250
251 {{warning}}
allan 23.1 252 /!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
allan 4.2 253 {{/warning}}