Failed to execute template. Cause: [Access denied when checking [script] access to [xwiki:Collaboratory.UX.HbpSkin.WebHome] for user [xwiki:XWiki.Admin]]. Click on this message for details.

my article - HBP Wiki

IAM21 instance, do not create collab nor modify a team, your changes will be lost


Changes for page my article

Last modified by allan on 2019/11/12 13:26
From version 1.1
edited by allan
on 2019/11/12 10:46
Change comment: There is no comment for this version
To version 3.1
edited by allan
on 2019/11/12 12:14
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,1 +1,192 @@
1 -some content
1 +Developers can extend the Collaboratory capabilities by providing applications to its community of users.
2 +
3 +This guide describes the steps to make this possible.
4 +
5 +== Becoming a contributor ==
6 +
7 +The first step is for you to **become a contributor**. Contributors can register and manage applications within the Community Apps Catalogue.
8 +
9 +Send an email to [[support@humanbrainproject.eu>>path:mailto:support@humanbrainproject.eu]] with a short summary of your intentions.
10 +
11 +The support team will apply the permissions to your user: your account will be upgraded with developers privileges the next time you will login.
12 +
13 +Only SGA2 accredited users will be automatically granted the contributor level.
14 +
15 +== Registering an application in the Catalogue ==
16 +
17 +Collab authors find applications to add to their collabs in the Community Apps Catalogue.
18 +
19 +{{error}}
20 +TODO: describe the steps to register an app in the Catalogue
21 +{{/error}}
22 +
23 +== Creating your OpenID Connect client ==
24 +
25 +The steps to create an OpenID Connect client are the following:
26 +
27 +1. get an access token from the `developer` client
28 +1. use the token to call the create endpoint
29 +1. save your registration access token for further modifications of your client
30 +
31 +=== Fetching your developer access token ===
32 +
33 +==== some h4 ====
34 +
35 +Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
36 +
37 +This can be achieved with this sample shell script:
38 +
39 +{{code language="bash"}}
40 +# Gather username and password from user
41 +echo '\nEnter your username' && read clb_dev_username &&
42 +echo '\nEnter your password' && read -s clb_dev_pwd &&
43 +
44 +# Fetch the token
45 +curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \
46 + -u developer: \
47 + -d 'grant_type=password' \
48 + -d "username=${clb_dev_username}" \
49 + -d "password=${clb_dev_pwd}" |
50 +
51 +# Prettify the JSON response
52 +json_pp;
53 +
54 +# Erase the credentials from local variables
55 +clb_dev_pwd='';clb_dev_username=''
56 +{{/code}}
57 +
58 +The response will be similar to:
59 +
60 +{{code language="json"}}
61 +{
62 + "access_token": "eyJhbGci...",
63 + "expires_in": 108000,
64 + "refresh_expires_in": 14400,
65 + "refresh_token": "eyJhbGci...",
66 + "token_type": "bearer",
67 + "not-before-policy": 1563261088,
68 + "session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8",
69 + "scope": ""
70 +}
71 +{{/code}}
72 +
73 +Copy the "access_token" value, you will need if for the next step.
74 +
75 +=== Creating the client ===
76 +
77 +You can now create clients by sending a JSON representation to a specific endpoint:
78 +
79 +{{code language="bash"}}
80 +# Set your developer token
81 +clb_dev_token=...
82 +
83 +# Send the creation request
84 +curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/ \
85 + -H "Authorization: Bearer ${clb_dev_token}" \
86 + -H 'Content-Type: application/json' \
87 + -d '{
88 + "clientId": "my-awesome-client",
89 + "name": "My Awesome App",
90 + "description": "This describes what my app is for end users",
91 + "rootUrl": "https://root.url.of.my.app",
92 + "baseUrl": "/relative/path/to/its/frontpage.html",
93 + "redirectUris": [
94 + "/relative/redirect/path",
95 + "/these/can/use/wildcards/*"
96 + ],
97 + "webOrigins": ["+"],
98 + "bearerOnly": false,
99 + "consentRequired": true,
100 + "standardFlowEnabled": true,
101 + "implicitFlowEnabled": true,
102 + "directAccessGrantsEnabled": false,
103 + "attributes": {
104 + "contacts": "first.contact@example.com; second.contact@example.com"
105 + }
106 + }' |
107 +
108 +# Prettify the JSON response
109 +json_pp;
110 +{{/code}}
111 +
112 +In case of success, the endpoint will return its representation of your client:
113 +
114 +{{code language="json"}}
115 +{
116 + "defaultClientScopes" : [
117 + "web-origins",
118 + "roles"
119 + ],
120 + "redirectUris" : [
121 + "/relative/redirect/path",
122 + "/these/can/use/wildcards/*"
123 + ],
124 + "nodeReRegistrationTimeout" : -1,
125 + "rootUrl" : "https://root.url.of.my.app",
126 + "webOrigins" : [
127 + "+"
128 + ],
129 + "authenticationFlowBindingOverrides" : {},
130 + "baseUrl" : "/relative/path/to/its/frontpage.html",
131 + "description" : "This describes what my app is for end users",
132 + "notBefore" : 0,
133 + "frontchannelLogout" : false,
134 + "enabled" : true,
135 + "registrationAccessToken" : "eyJhbGciOi...",
136 + "consentRequired" : true,
137 + "fullScopeAllowed" : false,
138 + "clientAuthenticatorType" : "client-secret",
139 + "surrogateAuthRequired" : false,
140 + "directAccessGrantsEnabled" : false,
141 + "standardFlowEnabled" : true,
142 + "id" : "551b49a0-ec69-41af-9461-6c10fbc79a35",
143 + "attributes" : {
144 + "contacts" : "first.contact@example.com; second.contact@example.com"
145 + },
146 + "name" : "My Awesome App",
147 + "secret" : "your-client-secret",
148 + "publicClient" : false,
149 + "clientId" : "my-awesome-client",
150 + "optionalClientScopes" : [],
151 + "implicitFlowEnabled" : true,
152 + "protocol" : "openid-connect",
153 + "bearerOnly" : false,
154 + "serviceAccountsEnabled" : false
155 +}
156 +{{/code}}
157 +
158 +Among all the attributes, you should securely save:
159 +
160 +* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
161 +* your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
162 +
163 +=== Modifying your client ===
164 +
165 +Update your client with a PUT request:
166 +
167 +{{code language="bash"}}
168 +# Set your registration token and client id
169 +clb_reg_token=...
170 +
171 +# Update the client
172 +curl -X PUT https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
173 + -H "Authorization: Bearer ${clb_reg_token}" \
174 + -H 'Content-Type: application/json' \
175 + -d '{
176 + "clientId": "my-awesome-client",
177 + "redirectUris": [
178 + "/relative/redirect/path",
179 + "/these/can/use/wildcards/*",
180 + "/a/new/redirect/uri"
181 + ]
182 + }' |
183 +
184 +# Prettify the JSON response
185 +json_pp;
186 +{{/code}}
187 +
188 + Note that your need to provide your client id both in the endpoint URL and within the body of the request.
189 +
190 +{{warning}}
191 +/!\ ** Each time you modify your client, a new registration access token will be generated. You need to track of your token changes to keep access to your client.   **/!\
192 +{{/warning}}
Public

allan collab