Attention: The Keycloak upgrade has been completed. As this was a major upgrade, there may be some unexpected issues occurring. Please report any issues you find to support by using the contact form found at https://www.ebrains.eu/contact/. Thank you for your patience and understanding. 


Last modified by messines on 2021/06/08 17:32
From version 22.1
edited by messines
on 2021/06/08 17:32
Change comment: There is no comment for this version
To version 14.1
edited by messines
on 2020/07/16 10:17
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -2. Authenticating with your OIDC client and fetch collab user info
1 +Authenticating with your OIDC client and fetch collab user info
Content
... ... @@ -1,8 +6,3 @@
1 -(% class="wikigeneratedid" %)
2 -== Requirement ==
3 -
4 -You should read this documentation to [[understand the concept of Authentication and Authorization>>https://wiki.ebrains.eu/bin/view/Collabs/the-collaboratory/Technical%20documentation/Architecture/Permissions/Authentication%20%26%20Authorisation%20using%20OIDC/]] with OIDC and OAuth2 before to try to implement it.
5 -
6 6  == Abstract ==
7 7  
8 8  In order to create an OIDC client, see [[1. Registering an OIDC client>>https://wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/1.%20Registering%20an%20OIDC%20client/]]. After creating the OIDC client, you have a corresponding access token and secret.
... ... @@ -47,14 +47,8 @@
47 47  The **scope** parameter can include a combination of several values. Each user will be asked to consent to sharing that scope with your app upon first access.
48 48  
49 49  * **openid: **This scope is required because we use the OIDC protocol. It will give your app access to the user's basic information such as username, email and full name.
50 -* **profile** (optional): More information on user if provided by the user
51 -* **email **(optional): The verified email of the user, should be add in addition of openid and/or profile to get the email.
52 52  * **group **(optional)**: **If you request this scope, the future access token generated will authorize your app to identify which units and groups the user belongs to.
53 53  * **team **(optional)**: **This scope is like the group scope lets your app identify the permissions of the user, but by identifying what collabs the user has access to and with what roles.
54 -* **clb.wiki.read **(optional): access to GET Collab API
55 -* **clb.wiki.write** (optional): access to DELETE/PUT/POST Collab API
56 -* **collab.drive **(optional): access to GET/POST/PUT/DELETE drive API
57 -* **offline_access **(optional)**: **provide refresh token
58 58  
59 59  {{info}}
60 60  The group and team scopes are a simple way for your app to grant permissions to its services and resources when you want to grant access to a very few units, groups, or collab teams. For more complex permission management, contact support.
... ... @@ -74,11 +74,11 @@
74 74  === Access Token Request ===
75 75  
76 76  (% class="wikigeneratedid" id="HRequest-1" %)
77 -Now that your app has the **authorization** **code** for a user, it can fetch the user ID Token and Access Token
66 +Now that your app has the **authorization** **code** for a user, it can fetch the user access token
78 78  
79 79  ==== Request ====
80 80  
81 -/POST: [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token]]
70 +/POST: [[https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token>>url:https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token]]
82 82  
83 83  with the following parameters:
84 84  
... ... @@ -112,7 +112,7 @@
112 112  }
113 113  )))
114 114  
115 -Your app gets a response containing the **access token**, the **refresh token,** the **id token **and other information. The ID Token should be use by developer on their backend to read user informations such as username, first name, last name etc. The ID Token should be use internally, into your app only, the app which triggered the authentication. The access token will be use to reach APIs, the access token can be see as a card to access an ATM. ID Token is for Authentication, Access token is for Authorization. Refresh token is to re-ask a valid access token after expiration.
104 +Your app gets a response containing the **access token** and other information.
116 116  
117 117  == Access user info ==
118 118  
... ... @@ -120,7 +120,7 @@
120 120  
121 121  ==== Request ====
122 122  
123 -/GET: [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo]]
112 +/GET: [[https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo>>url:https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo]]
124 124  
125 125  with the following parameters:
126 126  
... ... @@ -132,7 +132,7 @@
132 132  
133 133  ==== Response ====
134 134  
135 -As response your app receives a JSON with all the information about the logged user
124 +As response your app receives a JSON with all the information on the logged user
136 136  
137 137  (% class="box" %)
138 138  (((
... ... @@ -155,7 +155,7 @@
155 155   ],
156 156   "group": [
157 157   "**group**-collaboratory-developers",
158 - "**unit**-all-projects-hbp-consortium-sga2-sp05-**administrator**"
147 + "**unit**-all-projects-hbp-consortium-sga2-sp05-administrator"
159 159   ]
160 160   },
161 161   "mitreid-sub": "30...62"
... ... @@ -162,10 +162,12 @@
162 162  }
163 163  )))
164 164  
165 -The unit field above lists Collaboratory Units which the user is a member of, with the unit name using slashes instead of the colons you see in the Collaboratory UI.
154 +The group field above lists Collaboratory Groups in the form "group-//groupname//" and Collaboratory Units in the form "unit-//unitname//" with the unitname using dashes instead of the colons you see in the Collaboratory UI.
166 166  
167 -jupyterhub and xwiki are OIDC clients with more advanced permission management.
156 +The team field above lists Collaboratory Teams in the form "collab-//collabname//-//role//" where //role //is one of admin, editor, or viewer according to the user's role in collab //collabname//.
168 168  
169 -The team field above lists Collaboratory Teams which the user is a member of, in the form "collab-//collabname//-//role//" where //role //is one of admin, editor, or viewer according to the user's role in collab //collabname//.
158 +jupyterhub and xwiki are OIDC clients.
170 170  
171 -The group field above lists Collaboratory Groups which the user is a member of, in the form "group-//groupname//". It also lists Collaboratory Units which the user is an admin of, in the form "unit-//unitname//-administrator" with //unitname //using dashes instead of the colons you see in the Collaboratory UI.
160 +The unit field above lists [useless noise?].
161 +
162 +