Authenticating with your OIDC client and fetch collab user info
Abstract
You had been creating an OIDC client following our guide https://wiki.ebrains.eu/bin/view/Collabs/collaboratory-community-apps/Community%20App%20Developer%20Guide/Registering%20an%20OIDC%20client/
The redirect_uri is set with the url of your application, in this exemple we will use postman, a platform for api developement, use your own application, for exemple when you loggin to this wiki, the redirect uri is https://wiki.ebrains.eu/*
The client is confidential with a secret, you obtain it throught the registering oidc client tutorial above.
The whole authentication flow presented here is based on the official OAuth2 rfc describe in the section 4.1
https://tools.ietf.org/html/rfc6749#section-4.1
Authentication flow
Authorization Code Grant
Request
/GET on https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/auth
with query parameters
- response_type=code
- client_id=community-apps-tutorial
- redirect_uri=https://www.getpostman.com/oauth2/callback
- login=true
- scope=openid+group+team
so
Of course replace client_id and redirect_uri with your own configuration
This will redirect you to the login page of iam where your user must enter they username/password
Scope
In the request you can see a scope parameter
- openid : This scope is required in oidc, it contains basic information of the user such as it username, email and full name.
- group ( optional ) : This scope is provided by our service, if you add it to your authorization code grant request, the futur access token generated will be able to read which units and groups the logged user belongs, it can be very important for your application. You can notice on the screenshot in the abstract section that Consent required is on, it means that at loggin time, the user will be asked if he allow your application to access there unit and group membership
- team ( optional ) : Very same than group, but for collab, with this scope your application will know in which collab the authenticated user belong
Response
After the loggin, you got a 301 redirection and 200 success http response with a code inside
Access Token Request
Request
Now that you have the authorization code, you can reach the /token endpoint and fetch the user access token
/POST : https:/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token
with params
- grant_type : authorization_code
- code : f3f04f93-hbp-482d-ac3d-demo.turtorial.7122c1d9-3f7e-4d80-9c4f-dcd244bc2ec7
- redirect_uri : https://www.getpostman.com/oauth2/callback
- client_id : community-apps-tutorial
- client_secret : your client secret obtained during client creation
Response
200 OK
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi...pP5vaNwvvsaNGEA",
"expires_in": 604773,
"refresh_expires_in": 604773,
"refresh_token": "eyJh...vC5eIR1rNhRJ4d8",
"token_type": "bearer",
"id_token": "eyJ...YOwdQ",
"not-before-policy": 0,
"session_state": "76e553bf-ba2e-45b6-8c6c-c867772b40ec",
"scope": "openid"
}
You get a response containing the access token and others
Access user info
Now that your application got the access token of your user, it's really easy to fetch user info
and just provide the access token as Authentication header
As response you will have a json with all the information on the logged user, for my user
{
"sub": "fa2db206-3eb4-403c-894a-810ebaba98e1",
"unit": [
"/collab-devs",
"/collab-team",
"/all/institutions/switzerland/epfl",
"/all/projects/hbp/consortium/SGA2/SP05",
"/all/projects/hbp/consortium/SGA3/WP6/T6_11"
],
"roles": {
"jupyterhub": [
"feature:authenticate"
],
"xwiki": [
"feature:authenticate"
],
"team": [
"collab-collaboratory-community-apps-editor"
],
"group": [
"group-collaboratory-developers",
"unit-all-projects-hbp-consortium-sga2-sp05-administrator"
]
},
"mitreid-sub": "305862"
}