Wiki source code of Community App Developer Guide

Version 3.1 by allan on 2019/09/19 11:16
Hide last authors
allan 1.1 1 The Collaboratory is designed to be extended with applications provided by its community of users.
2
3 This guide describes how developers can contribute by creating and registering applications within the Collaboratory.
4
5 {{toc numbered="true" start="2"/}}
6
7 == Becoming a contributor ==
8
9 The first step is for you to be recognised as a contributor. Contributors can register and manage applications within the Community Apps Catalogue.
10
11 To become a contributor, send an email to [[support@humanbrainproject.eu>>mailto:support@humanbrainproject.eu]] with a short summary of your intentions.
12
13 The support team will apply the permissions to your user and the next time you will login, your account will be upgraded with developers privileges.
14
15 (% class="box infomessage" %)
16 (((
17 Please note that, currently, only SGA2 accredited users will be automatically granted the contributor level.
18 )))
19
20 == Registering an application in the Catalogue ==
21
22 The Community Apps Catalogue is the place where collab authors look for applications to add to their collabs.
allan 2.1 23
24 {{error}}
25 TODO: describe the steps to register an app in the Catalogue
26 {{/error}}
27
28 == Creating your OpenID Connect client ==
29
30 The steps to create an OpenID Connect client are the following:
31
32 * get an access token from the `developer` client
33 * use the token to call the create endpoint
allan 2.2 34 * save your registration access token for further modifications of your client
allan 2.1 35
36 === Fetching your developer access token ===
37
38 In order to get your developer token, you need to authenticate against the developer client with the password grant.
39
40 This can be achieved with this sample bash script:
41
42 {{code language="bash"}}
43 # Gather username and password from user
allan 2.2 44 echo '\nEnter your username' && read clb_dev_username &&
45 echo '\nEnter your password' && read -s clb_dev_pwd &&
allan 2.1 46
47 # Fetch the token
48 curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \
49 -u developer: \
50 -d 'grant_type=password' \
51 -d "username=${clb_dev_username}" \
allan 2.2 52 -d "password=${clb_dev_pwd}" |
53
54 # Prettify the JSON response
55 json_pp;
allan 2.1 56
57 # Erase the credentials from local variables
58 clb_dev_pwd='';clb_dev_username=''
59 {{/code}}
60
61 The response will be similar to:
62
63 {{code language="json"}}
64 {
65 "access_token": "eyJhbGci...",
66 "expires_in": 108000,
67 "refresh_expires_in": 14400,
68 "refresh_token": "eyJhbGci...",
69 "token_type": "bearer",
70 "not-before-policy": 1563261088,
71 "session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8",
72 "scope": ""
73 }
74 {{/code}}
75
76 Copy the "access_token" value, it is the one that will be needed for the next step.
allan 2.2 77
78 === Creating the client ===
79
allan 2.3 80 Clients can be created by sending a JSON representation to a specific endpoint:
81
82 {{code language="bash"}}
83 # Set your developer token
84 clb_dev_token=...
85
86 # Send the creation request
87 curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/ \
88 -H "Authorization: Bearer ${clb_dev_token}" \
89 -H 'Content-Type: application/json' \
90 -d '{
91 "clientId": "my-awesome-client",
92 "name": "My Awesome App",
93 "description": "This describes what my app is for end users",
94 "rootUrl": "https://root.url.of.my.app",
95 "baseUrl": "/relative/path/to/its/frontpage.html",
96 "redirectUris": [
97 "/relative/redirect/path",
98 "/these/can/use/wildcards/*"
99 ],
100 "webOrigins": ["+"],
101 "bearerOnly": false,
102 "consentRequired": true,
103 "standardFlowEnabled": true,
104 "implicitFlowEnabled": true,
105 "directAccessGrantsEnabled": false,
106 "attributes": {
107 "contacts": "first.contact@example.com; second.contact@example.com"
108 }
109 }' |
110
111 # Prettify the JSON response
112 json_pp;
113 {{/code}}
114
115 In case of success, the endpoint will return its representation of your client:
116
117 {{code language="json"}}
118 {
119 "defaultClientScopes" : [
120 "web-origins",
121 "roles"
122 ],
123 "redirectUris" : [
124 "/relative/redirect/path",
125 "/these/can/use/wildcards/*"
126 ],
127 "nodeReRegistrationTimeout" : -1,
128 "rootUrl" : "https://root.url.of.my.app",
129 "webOrigins" : [
130 "+"
131 ],
132 "authenticationFlowBindingOverrides" : {},
133 "baseUrl" : "/relative/path/to/its/frontpage.html",
134 "description" : "This describes what my app is for end users",
135 "notBefore" : 0,
136 "frontchannelLogout" : false,
137 "enabled" : true,
138 "registrationAccessToken" : "eyJhbGciOi...",
139 "consentRequired" : true,
140 "fullScopeAllowed" : false,
141 "clientAuthenticatorType" : "client-secret",
142 "surrogateAuthRequired" : false,
143 "directAccessGrantsEnabled" : false,
144 "standardFlowEnabled" : true,
145 "id" : "551b49a0-ec69-41af-9461-6c10fbc79a35",
146 "attributes" : {
147 "contacts" : "first.contact@example.com; second.contact@example.com"
148 },
149 "name" : "My Awesome App",
150 "secret" : "your-client-secret",
151 "publicClient" : false,
152 "clientId" : "my-awesome-client",
153 "optionalClientScopes" : [],
154 "implicitFlowEnabled" : true,
155 "protocol" : "openid-connect",
156 "bearerOnly" : false,
157 "serviceAccountsEnabled" : false
158 }
159 {{/code}}
160
161 Among all the attributes, you should securely save:
162
163 * your client secret ("secret" attribute) which is needed by your application to authenticate to the IAM server when making backend calls
164 * your client registration access token ("registrationAccessToken")  which is the token you will need to authenticate when modifying your client in the future