Last modified by messines on 2021/06/08 17:32
From version 7.1
edited by messines
on 2020/07/15 18:33
Change comment: Uploaded new attachment "Screenshot 2020-07-15 at 18.32.14.png", version {1}
To version 14.1
edited by messines
on 2020/07/16 10:17
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,77 +1,83 @@
1 1  == Abstract ==
2 2  
3 -You had been creating an OIDC client following our guide [[https:~~/~~/wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/Registering%20an%20OIDC%20client/>>https://wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/Registering%20an%20OIDC%20client/]]
3 +In order to create an OIDC client, see [[1. Registering an OIDC client>>https://wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/1.%20Registering%20an%20OIDC%20client/]]. After creating the OIDC client, you have a corresponding access token and secret.
4 4  
5 -The redirect_uri is set with the url of your application, in this exemple we will use postman, a platform for api developement, use your own application, for exemple when you loggin to this wiki, the redirect uri is [[https:~~/~~/wiki.ebrains.eu/*>>https://wiki.ebrains.eu/*]]
5 +For the example below, we consider the case of someone wanting to provide access to https:~/~/www.getpostman.com as an app for Collaboratory users to access from their collabs. You should replace that URL by the one of your own app.
6 6  
7 -The client is confidential with a secret, you obtain it throught the registering oidc client tutorial above.
7 +The redirect_uri is set with the URL of your application to which your users will be redirected after having been authenticated by their EBRAINS account. For example when you login to this wiki, the redirect URI is [[https:~~/~~/wiki.ebrains.eu/*>>https://wiki.ebrains.eu/*]]
8 8  
9 -[[image:Screenshot 2020-07-15 at 17.47.12.png]]
9 +[[image:Screenshot 2020-07-15 at 17.47.12.png||height="517" width="758"]]
10 10  
11 11  
12 -The whole authentication flow presented here is based on the official OAuth2 rfc describe in the section 4.1
12 +The whole authentication flow presented here is based on the official OAuth2 RFC described in the section 4.1.
13 13  
14 14  [[https:~~/~~/tools.ietf.org/html/rfc6749#section-4.1>>https://tools.ietf.org/html/rfc6749#section-4.1]]
15 15  
16 +[[image:Screenshot 2020-07-15 at 18.32.14.png||height="410" width="474"]]
17 +
16 16  == Authentication flow ==
17 17  
18 -=== Authorization Code Grant ===
20 +=== Authorization Code Request ===
19 19  
22 +The first step of the authentication protocol is to fetch an **authorization code **for your client and your user. This is done by directing your users to the URL of the EBRAINS login page (**IAM**) where they can enter their username and password.
23 +
20 20  ==== Request ====
21 21  
22 -/GET on [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth >>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth]]
26 +The authorization **code **is fetched by an HTTP request:
23 23  
24 -with query parameters
28 +/GET: [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth]]
25 25  
30 +with the following parameters:
31 +
26 26  * response_type=code
27 -* client_id=community-apps-tutorial
28 -* redirect_uri=[[https:~~/~~/www.getpostman.com/oauth2/callback>>https://www.getpostman.com/oauth2/callback]]
29 29  * login=true
30 -* scope=openid+group+team
34 +* client_id=**//community-apps-tutorial//**
35 +* redirect_uri=**//https:~/~/www.getpostman.com/oauth2/callback//**
36 +* scope=openid**//+group+team//**
31 31  
32 -so
38 +with the italics indicating the fields you customize for your own app. The URL will look like:
33 33  
34 -[[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth?response_type=code&client_id=community-apps-tutorial&redirect_uri=https:~~/~~/www.getpostman.com/oauth2/callback&login=true&scope=openid+group+team>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth?response_type=code&client_id=community-apps-tutorial&redirect_uri=https://www.getpostman.com/oauth2/callback&login=true&scope=openid+group+team]]
40 +https:~/~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth?response_type=code&login=true&client_id=//**community-apps-tutorial**//&redirect_uri=//**https:~/~/www.getpostman.com/oauth2/callback**//&scope=openid//**+group+team**//
35 35  
36 -Of course replace **client_id** and **redirect_uri** with your own configuration
42 +The **scope** parameter can include a combination of several values. Each user will be asked to consent to sharing that scope with your app upon first access.
37 37  
38 -This will redirect you to the login page of **iam **where your user must enter they username/password
44 +* **openid: **This scope is required because we use the OIDC protocol. It will give your app access to the user's basic information such as username, email and full name.
45 +* **group **(optional)**: **If you request this scope, the future access token generated will authorize your app to identify which units and groups the user belongs to.
46 +* **team **(optional)**: **This scope is like the group scope lets your app identify the permissions of the user, but by identifying what collabs the user has access to and with what roles.
39 39  
40 -==== Scope ====
48 +{{info}}
49 +The group and team scopes are a simple way for your app to grant permissions to its services and resources when you want to grant access to a very few units, groups, or collab teams. For more complex permission management, contact support.
50 +{{/info}}
41 41  
42 -In the request you can see a scope **parameter**
43 -
44 -* **openid : **This scope is required in oidc, it contains basic information of the user such as it username, email and full name.
45 -* **group **( optional ) **: **This scope is provided by our service, if you add it to your authorization code grant request, the futur access token generated will be able to read which units and groups the logged user belongs, it can be very important for your application. You can notice on the screenshot in the abstract section that **Consent required **is **on, **it means that at loggin time, the user will be asked if he allow your application to access there unit and group membership
46 -* **team **( optional ) **: **Very same than group, but for collab, with this scope your application will know in which collab the authenticated user belong
47 -
48 48  ==== Response ====
49 49  
50 -After the loggin, you got a 301 redirection and 200 success http response with a **code** inside
54 +Once the user has logged in, your app gets an HTTP 301 redirection followed by an HTTP 200 success response with an authorization **code** inside. A typical response might look like:
51 51  
52 -[[https:~~/~~/www.getpostman.com/oauth2/callback?session_state=a0ff8a68-2654-43ef-977a-6c15ce343546&code=f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7>>https://www.getpostman.com/oauth2/callback?session_state=a0ff8a68-2654-43ef-977a-6c15ce598886&code=f3f04f93-b98d-482d-ac3d-414cead54de0.a0ff8a68-2654-43ef-977a-6c15ce598886.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7]]
56 +https:~/~/www.getpostman.com/oauth2/callback?session_state=a0ff8a68-2654-43ef-977a-6c15ce343546&code=**f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7**
53 53  
54 54  (% class="box infomessage" %)
55 55  (((
56 -the code is very important for the next step here the code is //f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7//
60 +The authorization **code** is the part in bold in the response above.
57 57  )))
58 58  
59 -
60 60  === Access Token Request ===
61 61  
65 +(% class="wikigeneratedid" id="HRequest-1" %)
66 +Now that your app has the **authorization** **code** for a user, it can fetch the user access token
67 +
62 62  ==== Request ====
63 63  
64 -Now that you have the **authorization** **code, **you can reach the **/token **endpoint and fetch the user access token
70 +/POST: [[https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token>>url:https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token]]
65 65  
66 -/POST : https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token
72 +with the following parameters:
67 67  
68 -with params
74 +* grant_type: authorization_code
75 +* code: **//f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7//**
76 +* redirect_uri: **//[[https:~~/~~/www.getpostman.com/oauth2/callback>>https://www.getpostman.com/oauth2/callback]]//**
77 +* client_id: **//community-apps-tutorial//**
78 +* client_secret: **//your client secret obtained during client creation//**
69 69  
70 -* grant_type : authorization_code
71 -* code : //f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7//
72 -* redirect_uri : [[https:~~/~~/www.getpostman.com/oauth2/callback>>https://www.getpostman.com/oauth2/callback]]
73 -* client_id : community-apps-tutorial
74 -* client_secret : your client secret obtained during client creation
80 +The image below shows a sample POST request generated from the Postman tool. [The fact that this page is based on getpostman.com as an example is pure coincidence.]
75 75  
76 76  [[image:Screenshot 2020-07-15 at 18.20.34.png]]
77 77  
... ... @@ -95,31 +95,33 @@
95 95  }
96 96  )))
97 97  
98 -You get a response containing the access token and others
104 +Your app gets a response containing the **access token** and other information.
99 99  
100 100  == Access user info ==
101 101  
102 -Now that your application got the access token of your user, it's really easy to fetch user info
108 +Now that your app has the access token of a user, it can fetch the user's info.
103 103  
104 -(% class="box infomessage" %)
105 -(((
106 -/GET https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo
107 -)))
110 +==== Request ====
108 108  
109 -and just provide the access token as **Authentication** header
112 +/GET: [[https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo>>url:https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo]]
110 110  
114 +with the following parameters:
115 +
116 +* Authorization: the access token preceded by the string "Bearer "
117 +
118 +The image below shows a sample GET request generated from the Postman tool. [The fact that this page is based on getpostman.com as an example is pure coincidence.]
119 +
111 111  [[image:Screenshot 2020-07-15 at 18.28.28.png||height="161" width="566"]]
112 112  
122 +==== Response ====
113 113  
114 -As response you will have a json with all the information on the logged user, for my user
124 +As response your app receives a JSON with all the information on the logged user
115 115  
116 116  (% class="box" %)
117 117  (((
118 118  {
119 - "sub": "fa2db206-3eb4-403c-894a-810ebaba98e1",
129 + "sub": "fa2db206-3...0ebaba98e1",
120 120   "unit": [
121 - "/collab-devs",
122 - "/collab-team",
123 123   "/all/institutions/switzerland/epfl",
124 124   "/all/projects/hbp/consortium/SGA2/SP05",
125 125   "/all/projects/hbp/consortium/SGA3/WP6/T6_11"
... ... @@ -132,13 +132,23 @@
132 132   "feature:authenticate"
133 133   ],
134 134   "team": [
135 - "collab-collaboratory-community-apps-editor"
143 + "**collab**-collaboratory-community-apps-**editor**"
136 136   ],
137 137   "group": [
138 - "group-collaboratory-developers",
139 - "unit-all-projects-hbp-consortium-sga2-sp05-administrator"
146 + "**group**-collaboratory-developers",
147 + "**unit**-all-projects-hbp-consortium-sga2-sp05-administrator"
140 140   ]
141 141   },
142 - "mitreid-sub": "305862"
150 + "mitreid-sub": "30...62"
143 143  }
144 144  )))
153 +
154 +The group field above lists Collaboratory Groups in the form "group-//groupname//" and Collaboratory Units in the form "unit-//unitname//" with the unitname using dashes instead of the colons you see in the Collaboratory UI.
155 +
156 +The team field above lists Collaboratory Teams in the form "collab-//collabname//-//role//" where //role //is one of admin, editor, or viewer according to the user's role in collab //collabname//.
157 +
158 +jupyterhub and xwiki are OIDC clients.
159 +
160 +The unit field above lists [useless noise?].
161 +
162 +