The Collaboratory is designed to be extended with applications provided by its community of users.
This guide describes how developers can contribute by creating and registering applications within the Collaboratory.
- Becoming a contributor
- Registering an application in the Catalogue
- Creating your OpenID Connect client
Becoming a contributor
The first step is for you to be recognised as a contributor. Contributors can register and manage applications within the Community Apps Catalogue.
To become a contributor, send an email to support@humanbrainproject.eu with a short summary of your intentions.
The support team will apply the permissions to your user and the next time you will login, your account will be upgraded with developers privileges.
Registering an application in the Catalogue
The Community Apps Catalogue is the place where collab authors look for applications to add to their collabs.
Creating your OpenID Connect client
The steps to create an OpenID Connect client are the following:
- get an access token from the `developer` client
- use the token to call the create endpoint
- save your registration access token for further modifications of your client
Fetching your developer access token
In order to get your developer token, you need to authenticate against the developer client with the password grant.
This can be achieved with this sample shell script:
echo '\nEnter your username' && read clb_dev_username &&
echo '\nEnter your password' && read -s clb_dev_pwd &&
# Fetch the token
curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \
-u developer: \
-d 'grant_type=password' \
-d "username=${clb_dev_username}" \
-d "password=${clb_dev_pwd}" |
# Prettify the JSON response
json_pp;
# Erase the credentials from local variables
clb_dev_pwd='';clb_dev_username=''
The response will be similar to:
"access_token": "eyJhbGci...",
"expires_in": 108000,
"refresh_expires_in": 14400,
"refresh_token": "eyJhbGci...",
"token_type": "bearer",
"not-before-policy": 1563261088,
"session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8",
"scope": ""
}
Copy the "access_token" value, it is the one that will be needed for the next step.
Creating the client
With your developer token, you can now create clients by sending a JSON representation to a specific endpoint:
clb_dev_token=...
# Send the creation request
curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/ \
-H "Authorization: Bearer ${clb_dev_token}" \
-H 'Content-Type: application/json' \
-d '{
"clientId": "my-awesome-client",
"name": "My Awesome App",
"description": "This describes what my app is for end users",
"rootUrl": "https://root.url.of.my.app",
"baseUrl": "/relative/path/to/its/frontpage.html",
"redirectUris": [
"/relative/redirect/path",
"/these/can/use/wildcards/*"
],
"webOrigins": ["+"],
"bearerOnly": false,
"consentRequired": true,
"standardFlowEnabled": true,
"implicitFlowEnabled": true,
"directAccessGrantsEnabled": false,
"attributes": {
"contacts": "first.contact@example.com; second.contact@example.com"
}
}' |
# Prettify the JSON response
json_pp;
In case of success, the endpoint will return its representation of your client:
"defaultClientScopes" : [
"web-origins",
"roles"
],
"redirectUris" : [
"/relative/redirect/path",
"/these/can/use/wildcards/*"
],
"nodeReRegistrationTimeout" : -1,
"rootUrl" : "https://root.url.of.my.app",
"webOrigins" : [
"+"
],
"authenticationFlowBindingOverrides" : {},
"baseUrl" : "/relative/path/to/its/frontpage.html",
"description" : "This describes what my app is for end users",
"notBefore" : 0,
"frontchannelLogout" : false,
"enabled" : true,
"registrationAccessToken" : "eyJhbGciOi...",
"consentRequired" : true,
"fullScopeAllowed" : false,
"clientAuthenticatorType" : "client-secret",
"surrogateAuthRequired" : false,
"directAccessGrantsEnabled" : false,
"standardFlowEnabled" : true,
"id" : "551b49a0-ec69-41af-9461-6c10fbc79a35",
"attributes" : {
"contacts" : "first.contact@example.com; second.contact@example.com"
},
"name" : "My Awesome App",
"secret" : "your-client-secret",
"publicClient" : false,
"clientId" : "my-awesome-client",
"optionalClientScopes" : [],
"implicitFlowEnabled" : true,
"protocol" : "openid-connect",
"bearerOnly" : false,
"serviceAccountsEnabled" : false
}
Among all the attributes, you should securely save:
- your client secret ("secret" attribute) which is needed by your application to authenticate to the IAM server when making backend calls
- your client registration access token ("registrationAccessToken") which is the token you will need to authenticate when modifying your client in the future
Modifying your client
Updating a client is done with a PUT request:
clb_reg_token=...
# Update the client
curl -X PUT https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
-H "Authorization: Bearer ${clb_reg_token}" \
-H 'Content-Type: application/json' \
-d '{
"clientId": "my-awesome-client",
"redirectUris": [
"/relative/redirect/path",
"/these/can/use/wildcards/*",
"/a/new/redirect/uri"
]
}' |
# Prettify the JSON response
json_pp;
Note that your client id must be provided both in the endpoint URL and within the body of the request.