Last modified by messines on 2021/06/08 17:32
From version 1.1
edited by messines
on 2020/07/15 17:45
Change comment: There is no comment for this version
To version 10.1
edited by messines
on 2020/07/15 18:35
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,0 +1,150 @@
1 +== Abstract ==
2 +
3 +You had been creating an OIDC client following our guide [[https:~~/~~/wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/Registering%20an%20OIDC%20client/>>https://wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/Registering%20an%20OIDC%20client/]]
4 +
5 +The redirect_uri is set with the url of your application, in this exemple we will use postman, a platform for api developement, use your own application, for exemple when you loggin to this wiki, the redirect uri is [[https:~~/~~/wiki.ebrains.eu/*>>https://wiki.ebrains.eu/*]]
6 +
7 +The client is confidential with a secret, you obtain it throught the registering oidc client tutorial above.
8 +
9 +[[image:Screenshot 2020-07-15 at 17.47.12.png||height="517" width="758"]]
10 +
11 +
12 +The whole authentication flow presented here is based on the official OAuth2 rfc describe in the section 4.1
13 +
14 +[[https:~~/~~/tools.ietf.org/html/rfc6749#section-4.1>>https://tools.ietf.org/html/rfc6749#section-4.1]]
15 +
16 +[[image:Screenshot 2020-07-15 at 18.32.14.png||height="410" width="474"]]
17 +
18 +== Authentication flow ==
19 +
20 +=== Authorization Code Grant ===
21 +
22 +==== Request ====
23 +
24 +/GET on [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth >>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth]]
25 +
26 +with query parameters
27 +
28 +* response_type=code
29 +* client_id=community-apps-tutorial
30 +* redirect_uri=[[https:~~/~~/www.getpostman.com/oauth2/callback>>https://www.getpostman.com/oauth2/callback]]
31 +* login=true
32 +* scope=openid+group+team
33 +
34 +so
35 +
36 +[[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth?response_type=code&client_id=community-apps-tutorial&redirect_uri=https:~~/~~/www.getpostman.com/oauth2/callback&login=true&scope=openid+group+team>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth?response_type=code&client_id=community-apps-tutorial&redirect_uri=https://www.getpostman.com/oauth2/callback&login=true&scope=openid+group+team]]
37 +
38 +Of course replace **client_id** and **redirect_uri** with your own configuration
39 +
40 +This will redirect you to the login page of **iam **where your user must enter they username/password
41 +
42 +==== Scope ====
43 +
44 +In the request you can see a scope **parameter**
45 +
46 +* **openid : **This scope is required in oidc, it contains basic information of the user such as it username, email and full name.
47 +* **group **( optional ) **: **This scope is provided by our service, if you add it to your authorization code grant request, the futur access token generated will be able to read which units and groups the logged user belongs, it can be very important for your application. You can notice on the screenshot in the abstract section that **Consent required **is **on, **it means that at loggin time, the user will be asked if he allow your application to access there unit and group membership
48 +* **team **( optional ) **: **Very same than group, but for collab, with this scope your application will know in which collab the authenticated user belong
49 +
50 +==== Response ====
51 +
52 +After the loggin, you got a 301 redirection and 200 success http response with a **code** inside
53 +
54 +[[https:~~/~~/www.getpostman.com/oauth2/callback?session_state=a0ff8a68-2654-43ef-977a-6c15ce343546&code=f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7>>https://www.getpostman.com/oauth2/callback?session_state=a0ff8a68-2654-43ef-977a-6c15ce598886&code=f3f04f93-b98d-482d-ac3d-414cead54de0.a0ff8a68-2654-43ef-977a-6c15ce598886.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7]]
55 +
56 +(% class="box infomessage" %)
57 +(((
58 +the code is very important for the next step here the code is //f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7//
59 +)))
60 +
61 +
62 +=== Access Token Request ===
63 +
64 +==== Request ====
65 +
66 +Now that you have the **authorization** **code, **you can reach the **/token **endpoint and fetch the user access token
67 +
68 +/POST : https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token
69 +
70 +with params
71 +
72 +* grant_type : authorization_code
73 +* code : //f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7//
74 +* redirect_uri : [[https:~~/~~/www.getpostman.com/oauth2/callback>>https://www.getpostman.com/oauth2/callback]]
75 +* client_id : community-apps-tutorial
76 +* client_secret : your client secret obtained during client creation
77 +
78 +[[image:Screenshot 2020-07-15 at 18.20.34.png]]
79 +
80 +
81 +==== Response ====
82 +
83 +200 OK
84 +
85 +(% class="box" %)
86 +(((
87 +{
88 + "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi...pP5vaNwvvsaNGEA",
89 + "expires_in": 604773,
90 + "refresh_expires_in": 604773,
91 + "refresh_token": "eyJh...vC5eIR1rNhRJ4d8",
92 + "token_type": "bearer",
93 + "id_token": "eyJ...YOwdQ",
94 + "not-before-policy": 0,
95 + "session_state": "76e553bf-ba2e-45b6-8c6c-c867772b40ec",
96 + "scope": "openid"
97 +}
98 +)))
99 +
100 +You get a response containing the access token and others
101 +
102 +== Access user info ==
103 +
104 +==== Request ====
105 +
106 +Now that your application got the access token of your user, it's really easy to fetch user info
107 +
108 +(% class="box infomessage" %)
109 +(((
110 +/GET https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo
111 +)))
112 +
113 +and just provide the access token as **Authentication** header
114 +
115 +[[image:Screenshot 2020-07-15 at 18.28.28.png||height="161" width="566"]]
116 +
117 +
118 +==== Response ====
119 +
120 +As response you will have a json with all the information on the logged user, for my user
121 +
122 +(% class="box" %)
123 +(((
124 +{
125 + "sub": "fa2db206-3eb4-403c-894a-810ebaba98e1",
126 + "unit": [
127 + "/collab-devs",
128 + "/collab-team",
129 + "/all/institutions/switzerland/epfl",
130 + "/all/projects/hbp/consortium/SGA2/SP05",
131 + "/all/projects/hbp/consortium/SGA3/WP6/T6_11"
132 + ],
133 + "roles": {
134 + "jupyterhub": [
135 + "feature:authenticate"
136 + ],
137 + "xwiki": [
138 + "feature:authenticate"
139 + ],
140 + "team": [
141 + "collab-collaboratory-community-apps-editor"
142 + ],
143 + "group": [
144 + "group-collaboratory-developers",
145 + "unit-all-projects-hbp-consortium-sga2-sp05-administrator"
146 + ]
147 + },
148 + "mitreid-sub": "305862"
149 +}
150 +)))
Screenshot 2020-07-15 at 17.47.12.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.messines
Size
... ... @@ -1,0 +1,1 @@
1 +184.0 KB
Content
Screenshot 2020-07-15 at 18.20.34.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.messines
Size
... ... @@ -1,0 +1,1 @@
1 +273.3 KB
Content
Screenshot 2020-07-15 at 18.28.28.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.messines
Size
... ... @@ -1,0 +1,1 @@
1 +58.4 KB
Content
Screenshot 2020-07-15 at 18.32.14.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.messines
Size
... ... @@ -1,0 +1,1 @@
1 +161.8 KB
Content