Attention: Due to an upgrade beginning on Friday, the 22nd August 2025, any new collabs, groups and any changes to teams will not be kept beyond the weekend. User creation will also be disabled during this time. The actual upgrade will take place on Wednesday, 27th August. On that day, any service requiring a Keycloak login will be unavailable for the duration of the upgrade. Thank you for your understanding as we complete this important work.

For the duration of the maintenance period, Collaboration and Group creation features will be temporarily disabled and will return HTTP 503 Service Unavailable errors until further notice.


Authenticating with your OIDC client and fetch collab user info

Version 3.1 by messines on 2020/07/15 18:20

Abstract

You had been creating an OIDC client following our guide https://wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/Registering%20an%20OIDC%20client/

The redirect_uri is set with the url of your application, in this exemple we will use postman, a platform for api developement, use your own application, for exemple when you loggin to this wiki, the redirect uri is https://wiki.ebrains.eu/*

The client is confidential with a secret, you obtain it throught the registering oidc client tutorial above.

Screenshot 2020-07-15 at 17.47.12.png

The whole authentication flow presented here is based on the official OAuth2 rfc describe in the section 4.1

https://tools.ietf.org/html/rfc6749#section-4.1

Authentication flow

Authorization Code Grant

Request

/GET on https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth 

with query parameters

so

https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth?response_type=code&client_id=community-apps-tutorial&redirect_uri=https://www.getpostman.com/oauth2/callback&login=true&scope=openid+group+team

Of course replace client_id and redirect_uri with your own configuration

This will redirect you to the login page of iam where your user must enter they username/password

Scope

In the request you can see a scope parameter

  • openid : This scope is required in oidc, it contains basic information of the user such as it username, email and full name.
  • group ( optional ) :

Response

After the loggin, you got a 301 redirection and 200 success http response with a code inside

https://www.getpostman.com/oauth2/callback?session_state=a0ff8a68-2654-43ef-977a-6c15ce343546&code=f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7

the code is very important for the next step here the code is f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7