Wiki source code of Using your OIDC client as a service account
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 3 | == Abstract == | ||
| 4 | |||
| 5 | With IAM, you have the possibility of logging in and using your client_id and your secret to generate an access token. | ||
| 6 | |||
| 7 | This can be particularly useful to access another application. You can use your OIDC client to login to your app but also then to reach other services such as the Collaboratory Drive and Collaboratory API. | ||
| 8 | |||
| 9 | == Configure your OIDC Client == | ||
| 10 | |||
| 11 | The first thing to do is to configure your OIDC client as a service account. You just have to set **"serviceAccountsEnabled" : true** in the definition of your OIDC client as documented under [[How to modify your OIDC client.>>doc:Collabs.collab-devs.collaboratory-v2.keycloak.1\. Registering an OIDC client.WebHome]] | ||
| 12 | |||
| 13 | {{code language="json"}} | ||
| 14 | { | ||
| 15 | "defaultClientScopes" : [ | ||
| 16 | "web-origins", | ||
| 17 | "roles" | ||
| 18 | ], | ||
| 19 | "redirectUris" : [ | ||
| 20 | "/relative/redirect/path", | ||
| 21 | "/these/can/use/wildcards/*" | ||
| 22 | ], | ||
| 23 | ..., | ||
| 24 | |||
| 25 | ..., | ||
| 26 | "serviceAccountsEnabled" : true | ||
| 27 | } | ||
| 28 | {{/code}} | ||
| 29 | |||
| 30 | == Generate an access token using client credentials == | ||
| 31 | |||
| 32 | Next, you can generate an access token. | ||
| 33 | |||
| 34 | ==== Endpoint: ==== | ||
| 35 | |||
| 36 | [[https:~~/~~/iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token>>https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token]] | ||
| 37 | |||
| 38 | ==== Parameters: ==== | ||
| 39 | |||
| 40 | **Request Body** | ||
| 41 | grant_type: "client_credentials" | ||
| 42 | client_id: "clientId" | ||
| 43 | client_secret: "clientSecret" | ||
| 44 | scope: "The scopes you need and which are available in your client" | ||
| 45 | |||
| 46 | ==== Sample request: ==== | ||
| 47 | |||
| 48 | {{code language="bash"}} | ||
| 49 | # Request to get an access token | ||
| 50 | curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \ | ||
| 51 | -H 'Content-Type: application/x-www-form-urlencoded' \ | ||
| 52 | -d "grant_type=client_credentials&client_id=myclient&client_secret=mysecret&scope=email%20profile%20team%20group%20clb.wiki.read%20clb.wiki.write" | ||
| 53 | |||
| 54 | {{/code}} | ||
| 55 | |||
| 56 | == Add roles to your service account == | ||
| 57 | |||
| 58 | For some use-cases, it's useful to add specific roles to your service-account user (if you want to give access to collabs, establish service-2-service communication and/or unsupervised automation scripts). If you want to do so, please contact us at [[https:~~/~~/ebrains.eu/support>>url:https://ebrains.eu/support]], incl. the information about the client you would like to assign roles to. | ||
| 59 | |||
| 60 | |||
| 61 | Examples: | ||
| 62 | |||
| 63 | * ((( | ||
| 64 | I would like to run a python script every night reading protected information from the EBRAINS Knowledge Graph. I've also already registered an OIDC client and am able to request an access token via the "client_credentials" flow (see above). To get the permissions to read the protected information, my service account needs to be assigned specific roles or it needs to be added to an existing user group. I therefore request my OIDC client service account to be properly assigned to the specific role / group via support. | ||
| 65 | ))) | ||
| 66 | * ((( | ||
| 67 | I have built a service which is consuming information from another EBRAINS service - e.g. to populate a specific index database. The service is using the client_credentials flow again to get the access token and requests the assignment of roles / the membership in a group via support. | ||
| 68 | ))) | ||
| 69 | |||
| 70 |