Summary

• Page properties (3 modified, 0 added, 0 removed)

Details

Page properties

Title

...	...	@@ -1,1 +1,1 @@
1		-Authenticating with your OIDC client and fetch collab user info
	1	+2. Authenticating with your OIDC client and fetch collab user info

Author

...	...	@@ -1,1 +1,1 @@
1		-XWiki.mmorgan
	1	+XWiki.messines

Content

...	...	@@ -42,8 +42,14 @@
42	42	The **scope** parameter can include a combination of several values. Each user will be asked to consent to sharing that scope with your app upon first access.
43	43
44	44	* **openid: **This scope is required because we use the OIDC protocol. It will give your app access to the user's basic information such as username, email and full name.
	45	+* **profile** (optional): More information on user if provided by the user
	46	+* **email **(optional): The verified email of the user, should be add in addition of openid and/or profile to get the email.
45	45	* **group **(optional)**: **If you request this scope, the future access token generated will authorize your app to identify which units and groups the user belongs to.
46	46	* **team **(optional)**: **This scope is like the group scope lets your app identify the permissions of the user, but by identifying what collabs the user has access to and with what roles.
	49	+* **clb.wiki.read **(optional): access to GET Collab API
	50	+* **clb.wiki.write** (optional): access to DELETE/PUT/POST Collab API
	51	+* **collab.drive **(optional): access to GET/POST/PUT/DELETE drive API
	52	+* **offline_access **(optional)**: **provide refresh token
47	47
48	48	{{info}}
49	49	The group and team scopes are a simple way for your app to grant permissions to its services and resources when you want to grant access to a very few units, groups, or collab teams. For more complex permission management, contact support.
...	...	@@ -63,12 +63,11 @@
63	63	=== Access Token Request ===
64	64
65	65	(% class="wikigeneratedid" id="HRequest-1" %)
66		-Now that your app has the **authorization** **code** for a user, it can fetch the user access token
	72	+Now that your app has the **authorization** **code** for a user, it can fetch the user ID Token and Access Token
67	67
68		-(% class="wikigeneratedid" %)
69	69	==== Request ====
70	70
71		-/POST: [[https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token>>url:https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token]]
	76	+/POST: [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token]]
72	72
73	73	with the following parameters:
74	74
...	...	@@ -102,7 +102,7 @@
102	102	}
103	103	)))
104	104
105		-Your app gets a response containing the **access token** and other information.
	110	+Your app gets a response containing the **access token**, the **refresh token,** the **id token **and other information. The ID Token should be use by developer on their backend to read user informations such as username, first name, last name etc. The ID Token should be use internally, into your app only, the app which triggered the authentication. The access token will be use to reach APIs, the access token can be see as a card to access an ATM. ID Token is for Authentication, Access token is for Authorization. Refresh token is to re-ask a valid access token after expiration.
106	106
107	107	== Access user info ==
108	108
...	...	@@ -110,7 +110,7 @@
110	110
111	111	==== Request ====
112	112
113		-/GET: [[https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo>>url:https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo]]
	118	+/GET: [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo]]
114	114
115	115	with the following parameters:
116	116
...	...	@@ -122,7 +122,7 @@
122	122
123	123	==== Response ====
124	124
125		-As response your app receives a JSON with all the information on the logged user
	130	+As response your app receives a JSON with all the information about the logged user
126	126
127	127	(% class="box" %)
128	128	(((
...	...	@@ -129,8 +129,6 @@
129	129	{
130	130	"sub": "fa2db206-3...0ebaba98e1",
131	131	"unit": [
132		- "/collab-devs",
133		- "/collab-team",
134	134	"/all/institutions/switzerland/epfl",
135	135	"/all/projects/hbp/consortium/SGA2/SP05",
136	136	"/all/projects/hbp/consortium/SGA3/WP6/T6_11"
...	...	@@ -147,7 +147,7 @@
147	147	],
148	148	"group": [
149	149	"**group**-collaboratory-developers",
150		- "**unit**-all-projects-hbp-consortium-sga2-sp05-administrator"
	153	+ "**unit**-all-projects-hbp-consortium-sga2-sp05-**administrator**"
151	151	]
152	152	},
153	153	"mitreid-sub": "30...62"
...	...	@@ -154,12 +154,10 @@
154	154	}
155	155	)))
156	156
157		-The group field above lists Collaboratory Groups in the form "group-//groupname//" and Collaboratory Units in the form "unit-//unitname//" with the unitname using dashes instead of the colons you see in the Collaboratory UI.
	160	+The unit field above lists Collaboratory Units which the user is a member of, with the unit name using slashes instead of the colons you see in the Collaboratory UI.
158	158
159		-The team field above lists Collaboratory Teams in the form "collab-//collabname//-//role//" where //role //is one of admin, editor, or viewer according to the user's role in collab //collabname//.
	162	+jupyterhub and xwiki are OIDC clients with more advanced permission management.
160	160
161		-jupyterhub and xwiki are OIDC clients.
	164	+The team field above lists Collaboratory Teams which the user is a member of, in the form "collab-//collabname//-//role//" where //role //is one of admin, editor, or viewer according to the user's role in collab //collabname//.
162	162
163		-The unit field above lists [useless noise?].
164		-
165		-
	166	+The group field above lists Collaboratory Groups which the user is a member of, in the form "group-//groupname//". It also lists Collaboratory Units which the user is an admin of, in the form "unit-//unitname//-administrator" with //unitname //using dashes instead of the colons you see in the Collaboratory UI.