Wiki source code of Authenticating with your OIDC client and fetch collab user info
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.2 | 1 | == Abstract == |
| 2 | |||
| |
13.1 | 3 | In order to create an OIDC client, see [[1. Registering an OIDC client>>https://wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/1.%20Registering%20an%20OIDC%20client/]]. After creating the OIDC client, you have a corresponding access token and secret. |
| |
1.2 | 4 | |
| |
13.1 | 5 | For the example below, we consider the case of someone wanting to provide access to https:~/~/www.getpostman.com as an app for Collaboratory users to access from their collabs. You should replace that URL by the one of your own app. |
| |
1.2 | 6 | |
| |
13.1 | 7 | The redirect_uri is set with the URL of your application to which your users will be redirected after having been authenticated by their EBRAINS account. For example when you login to this wiki, the redirect URI is [[https:~~/~~/wiki.ebrains.eu/*>>https://wiki.ebrains.eu/*]] |
| |
1.2 | 8 | |
| |
9.1 | 9 | [[image:Screenshot 2020-07-15 at 17.47.12.png||height="517" width="758"]] |
| |
1.2 | 10 | |
| |
2.2 | 11 | |
| |
13.1 | 12 | The whole authentication flow presented here is based on the official OAuth2 RFC described in the section 4.1. |
| |
2.2 | 13 | |
| 14 | [[https:~~/~~/tools.ietf.org/html/rfc6749#section-4.1>>https://tools.ietf.org/html/rfc6749#section-4.1]] | ||
| 15 | |||
| |
8.1 | 16 | [[image:Screenshot 2020-07-15 at 18.32.14.png||height="410" width="474"]] |
| 17 | |||
| |
2.2 | 18 | == Authentication flow == |
| 19 | |||
| |
13.1 | 20 | === Authorization Code Request === |
| |
2.2 | 21 | |
| |
13.1 | 22 | The first step of the authentication protocol is to fetch an **authorization code **for your client and your user. This is done by directing your users to the URL of the EBRAINS login page (**IAM**) where they can enter their username and password. |
| |
11.1 | 23 | |
| |
2.2 | 24 | ==== Request ==== |
| 25 | |||
| |
13.1 | 26 | The authorization **code **is fetched by an HTTP request: |
| |
2.2 | 27 | |
| |
13.1 | 28 | /GET: [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth]] |
| |
2.2 | 29 | |
| |
13.1 | 30 | with the following parameters: |
| 31 | |||
| |
2.2 | 32 | * response_type=code |
| 33 | * login=true | ||
| |
13.1 | 34 | * client_id=**//community-apps-tutorial//** |
| 35 | * redirect_uri=**//https:~/~/www.getpostman.com/oauth2/callback//** | ||
| 36 | * scope=openid**//+group+team//** | ||
| |
2.2 | 37 | |
| |
13.1 | 38 | with the italics indicating the fields you customize for your own app. The URL will look like: |
| |
2.2 | 39 | |
| |
13.1 | 40 | https:~/~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth?response_type=code&login=true&client_id=//**community-apps-tutorial**//&redirect_uri=//**https:~/~/www.getpostman.com/oauth2/callback**//&scope=openid//**+group+team**// |
| |
2.2 | 41 | |
| |
13.1 | 42 | The **scope** parameter can include a combination of several values. Each user will be asked to consent to sharing that scope with your app upon first access. |
| |
2.2 | 43 | |
| |
13.1 | 44 | * **openid: **This scope is required because we use the OIDC protocol. It will give your app access to the user's basic information such as username, email and full name. |
| 45 | * **group **(optional)**: **If you request this scope, the future access token generated will authorize your app to identify which units and groups the user belongs to. | ||
| 46 | * **team **(optional)**: **This scope is like the group scope lets your app identify the permissions of the user, but by identifying what collabs the user has access to and with what roles. | ||
| |
17.2 | 47 | * **clb.wiki.read **(optional): access to GET Collab API |
| |
17.3 | 48 | * **clb.wiki.write** (optional): access to DELETE/PUT/POST Collab API |
| 49 | * **clb.drive:read **(optional): access to GET Drive API | ||
| 50 | * **clb.drive:write** (optional): access to DELETE/PUT/POST Drive API | ||
| |
2.2 | 51 | |
| |
13.1 | 52 | {{info}} |
| 53 | The group and team scopes are a simple way for your app to grant permissions to its services and resources when you want to grant access to a very few units, groups, or collab teams. For more complex permission management, contact support. | ||
| 54 | {{/info}} | ||
| |
2.2 | 55 | |
| 56 | ==== Response ==== | ||
| 57 | |||
| |
13.1 | 58 | Once the user has logged in, your app gets an HTTP 301 redirection followed by an HTTP 200 success response with an authorization **code** inside. A typical response might look like: |
| |
2.2 | 59 | |
| |
13.1 | 60 | https:~/~/www.getpostman.com/oauth2/callback?session_state=a0ff8a68-2654-43ef-977a-6c15ce343546&code=**f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7** |
| |
2.2 | 61 | |
| 62 | (% class="box infomessage" %) | ||
| 63 | ((( | ||
| |
13.1 | 64 | The authorization **code** is the part in bold in the response above. |
| |
2.2 | 65 | ))) |
| 66 | |||
| |
3.2 | 67 | === Access Token Request === |
| 68 | |||
| |
13.1 | 69 | (% class="wikigeneratedid" id="HRequest-1" %) |
| 70 | Now that your app has the **authorization** **code** for a user, it can fetch the user access token | ||
| 71 | |||
| |
3.2 | 72 | ==== Request ==== |
| 73 | |||
| |
17.1 | 74 | /POST: [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token]] |
| |
3.2 | 75 | |
| |
13.1 | 76 | with the following parameters: |
| |
3.2 | 77 | |
| |
13.1 | 78 | * grant_type: authorization_code |
| 79 | * code: **//f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7//** | ||
| 80 | * redirect_uri: **//[[https:~~/~~/www.getpostman.com/oauth2/callback>>https://www.getpostman.com/oauth2/callback]]//** | ||
| 81 | * client_id: **//community-apps-tutorial//** | ||
| 82 | * client_secret: **//your client secret obtained during client creation//** | ||
| |
3.2 | 83 | |
| |
13.1 | 84 | The image below shows a sample POST request generated from the Postman tool. [The fact that this page is based on getpostman.com as an example is pure coincidence.] |
| |
3.2 | 85 | |
| 86 | [[image:Screenshot 2020-07-15 at 18.20.34.png]] | ||
| 87 | |||
| 88 | |||
| 89 | ==== Response ==== | ||
| 90 | |||
| 91 | 200 OK | ||
| 92 | |||
| 93 | (% class="box" %) | ||
| 94 | ((( | ||
| 95 | { | ||
| 96 | "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi...pP5vaNwvvsaNGEA", | ||
| 97 | "expires_in": 604773, | ||
| 98 | "refresh_expires_in": 604773, | ||
| 99 | "refresh_token": "eyJh...vC5eIR1rNhRJ4d8", | ||
| 100 | "token_type": "bearer", | ||
| 101 | "id_token": "eyJ...YOwdQ", | ||
| 102 | "not-before-policy": 0, | ||
| 103 | "session_state": "76e553bf-ba2e-45b6-8c6c-c867772b40ec", | ||
| 104 | "scope": "openid" | ||
| 105 | } | ||
| 106 | ))) | ||
| 107 | |||
| |
13.1 | 108 | Your app gets a response containing the **access token** and other information. |
| |
5.1 | 109 | |
| 110 | == Access user info == | ||
| 111 | |||
| |
13.1 | 112 | Now that your app has the access token of a user, it can fetch the user's info. |
| 113 | |||
| |
10.1 | 114 | ==== Request ==== |
| 115 | |||
| |
17.1 | 116 | /GET: [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/userinfo]] |
| |
5.1 | 117 | |
| |
13.1 | 118 | with the following parameters: |
| |
5.1 | 119 | |
| |
13.1 | 120 | * Authorization: the access token preceded by the string "Bearer " |
| |
5.1 | 121 | |
| |
13.1 | 122 | The image below shows a sample GET request generated from the Postman tool. [The fact that this page is based on getpostman.com as an example is pure coincidence.] |
| 123 | |||
| |
5.1 | 124 | [[image:Screenshot 2020-07-15 at 18.28.28.png||height="161" width="566"]] |
| 125 | |||
| |
10.1 | 126 | ==== Response ==== |
| 127 | |||
| |
16.1 | 128 | As response your app receives a JSON with all the information about the logged user |
| |
5.1 | 129 | |
| 130 | (% class="box" %) | ||
| 131 | ((( | ||
| 132 | { | ||
| |
13.1 | 133 | "sub": "fa2db206-3...0ebaba98e1", |
| |
5.1 | 134 | "unit": [ |
| 135 | "/all/institutions/switzerland/epfl", | ||
| 136 | "/all/projects/hbp/consortium/SGA2/SP05", | ||
| 137 | "/all/projects/hbp/consortium/SGA3/WP6/T6_11" | ||
| 138 | ], | ||
| 139 | "roles": { | ||
| 140 | "jupyterhub": [ | ||
| 141 | "feature:authenticate" | ||
| 142 | ], | ||
| 143 | "xwiki": [ | ||
| 144 | "feature:authenticate" | ||
| 145 | ], | ||
| 146 | "team": [ | ||
| |
13.1 | 147 | "**collab**-collaboratory-community-apps-**editor**" |
| |
5.1 | 148 | ], |
| 149 | "group": [ | ||
| |
13.1 | 150 | "**group**-collaboratory-developers", |
| |
16.1 | 151 | "**unit**-all-projects-hbp-consortium-sga2-sp05-**administrator**" |
| |
5.1 | 152 | ] |
| 153 | }, | ||
| |
13.1 | 154 | "mitreid-sub": "30...62" |
| |
5.1 | 155 | } |
| 156 | ))) | ||
| |
13.1 | 157 | |
| |
16.1 | 158 | The unit field above lists Collaboratory Units which the user is a member of, with the unit name using slashes instead of the colons you see in the Collaboratory UI. |
| |
13.1 | 159 | |
| |
16.1 | 160 | jupyterhub and xwiki are OIDC clients with more advanced permission management. |
| |
13.1 | 161 | |
| |
16.1 | 162 | The team field above lists Collaboratory Teams which the user is a member of, in the form "collab-//collabname//-//role//" where //role //is one of admin, editor, or viewer according to the user's role in collab //collabname//. |
| |
13.1 | 163 | |
| |
16.1 | 164 | The group field above lists Collaboratory Groups which the user is a member of, in the form "group-//groupname//". It also lists Collaboratory Units which the user is an admin of, in the form "unit-//unitname//-administrator" with //unitname //using dashes instead of the colons you see in the Collaboratory UI. |