Wiki source code of my article
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
2.1 | 1 | Developers can extend the Collaboratory capabilities by providing applications to its community of users. |
| 2 | |||
| 3 | This guide describes the steps to make this possible. | ||
| 4 | |||
| 5 | == Becoming a contributor == | ||
| 6 | |||
| 7 | The first step is for you to **become a contributor**. Contributors can register and manage applications within the Community Apps Catalogue. | ||
| 8 | |||
| 9 | Send an email to [[support@humanbrainproject.eu>>path:mailto:support@humanbrainproject.eu]] with a short summary of your intentions. | ||
| 10 | |||
| 11 | The support team will apply the permissions to your user: your account will be upgraded with developers privileges the next time you will login. | ||
| 12 | |||
| 13 | Only SGA2 accredited users will be automatically granted the contributor level. | ||
| 14 | |||
| 15 | == Registering an application in the Catalogue == | ||
| 16 | |||
| 17 | Collab authors find applications to add to their collabs in the Community Apps Catalogue. | ||
| 18 | |||
| 19 | {{error}} | ||
| 20 | TODO: describe the steps to register an app in the Catalogue | ||
| 21 | {{/error}} | ||
| 22 | |||
| 23 | == Creating your OpenID Connect client == | ||
| 24 | |||
| 25 | The steps to create an OpenID Connect client are the following: | ||
| 26 | |||
| 27 | 1. get an access token from the `developer` client | ||
| 28 | 1. use the token to call the create endpoint | ||
| 29 | 1. save your registration access token for further modifications of your client | ||
| 30 | |||
| 31 | === Fetching your developer access token === | ||
| 32 | |||
| 33 | Getting your developer token is done in one simple step: authenticate against the developer client with the password grant. | ||
| 34 | |||
| 35 | This can be achieved with this sample shell script: | ||
| 36 | |||
| 37 | {{code language="bash"}} | ||
| 38 | # Gather username and password from user | ||
| 39 | echo '\nEnter your username' && read clb_dev_username && | ||
| 40 | echo '\nEnter your password' && read -s clb_dev_pwd && | ||
| 41 | |||
| 42 | # Fetch the token | ||
| 43 | curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \ | ||
| 44 | -u developer: \ | ||
| 45 | -d 'grant_type=password' \ | ||
| 46 | -d "username=${clb_dev_username}" \ | ||
| 47 | -d "password=${clb_dev_pwd}" | | ||
| 48 | |||
| 49 | # Prettify the JSON response | ||
| 50 | json_pp; | ||
| 51 | |||
| 52 | # Erase the credentials from local variables | ||
| 53 | clb_dev_pwd='';clb_dev_username='' | ||
| 54 | {{/code}} | ||
| 55 | |||
| 56 | The response will be similar to: | ||
| 57 | |||
| 58 | {{code language="json"}} | ||
| 59 | { | ||
| 60 | "access_token": "eyJhbGci...", | ||
| 61 | "expires_in": 108000, | ||
| 62 | "refresh_expires_in": 14400, | ||
| 63 | "refresh_token": "eyJhbGci...", | ||
| 64 | "token_type": "bearer", | ||
| 65 | "not-before-policy": 1563261088, | ||
| 66 | "session_state": "0ac3dfcd-aa5e-42eb-b333-2f73496b81f8", | ||
| 67 | "scope": "" | ||
| 68 | } | ||
| 69 | {{/code}} | ||
| 70 | |||
| 71 | Copy the "access_token" value, you will need if for the next step. | ||
| 72 | |||
| 73 | === Creating the client === | ||
| 74 | |||
| 75 | You can now create clients by sending a JSON representation to a specific endpoint: | ||
| 76 | |||
| 77 | {{code language="bash"}} | ||
| 78 | # Set your developer token | ||
| 79 | clb_dev_token=... | ||
| 80 | |||
| 81 | # Send the creation request | ||
| 82 | curl -X POST https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/ \ | ||
| 83 | -H "Authorization: Bearer ${clb_dev_token}" \ | ||
| 84 | -H 'Content-Type: application/json' \ | ||
| 85 | -d '{ | ||
| 86 | "clientId": "my-awesome-client", | ||
| 87 | "name": "My Awesome App", | ||
| 88 | "description": "This describes what my app is for end users", | ||
| 89 | "rootUrl": "https://root.url.of.my.app", | ||
| 90 | "baseUrl": "/relative/path/to/its/frontpage.html", | ||
| 91 | "redirectUris": [ | ||
| 92 | "/relative/redirect/path", | ||
| 93 | "/these/can/use/wildcards/*" | ||
| 94 | ], | ||
| 95 | "webOrigins": ["+"], | ||
| 96 | "bearerOnly": false, | ||
| 97 | "consentRequired": true, | ||
| 98 | "standardFlowEnabled": true, | ||
| 99 | "implicitFlowEnabled": true, | ||
| 100 | "directAccessGrantsEnabled": false, | ||
| 101 | "attributes": { | ||
| 102 | "contacts": "first.contact@example.com; second.contact@example.com" | ||
| 103 | } | ||
| 104 | }' | | ||
| 105 | |||
| 106 | # Prettify the JSON response | ||
| 107 | json_pp; | ||
| 108 | {{/code}} | ||
| 109 | |||
| 110 | In case of success, the endpoint will return its representation of your client: | ||
| 111 | |||
| 112 | {{code language="json"}} | ||
| 113 | { | ||
| 114 | "defaultClientScopes" : [ | ||
| 115 | "web-origins", | ||
| 116 | "roles" | ||
| 117 | ], | ||
| 118 | "redirectUris" : [ | ||
| 119 | "/relative/redirect/path", | ||
| 120 | "/these/can/use/wildcards/*" | ||
| 121 | ], | ||
| 122 | "nodeReRegistrationTimeout" : -1, | ||
| 123 | "rootUrl" : "https://root.url.of.my.app", | ||
| 124 | "webOrigins" : [ | ||
| 125 | "+" | ||
| 126 | ], | ||
| 127 | "authenticationFlowBindingOverrides" : {}, | ||
| 128 | "baseUrl" : "/relative/path/to/its/frontpage.html", | ||
| 129 | "description" : "This describes what my app is for end users", | ||
| 130 | "notBefore" : 0, | ||
| 131 | "frontchannelLogout" : false, | ||
| 132 | "enabled" : true, | ||
| 133 | "registrationAccessToken" : "eyJhbGciOi...", | ||
| 134 | "consentRequired" : true, | ||
| 135 | "fullScopeAllowed" : false, | ||
| 136 | "clientAuthenticatorType" : "client-secret", | ||
| 137 | "surrogateAuthRequired" : false, | ||
| 138 | "directAccessGrantsEnabled" : false, | ||
| 139 | "standardFlowEnabled" : true, | ||
| 140 | "id" : "551b49a0-ec69-41af-9461-6c10fbc79a35", | ||
| 141 | "attributes" : { | ||
| 142 | "contacts" : "first.contact@example.com; second.contact@example.com" | ||
| 143 | }, | ||
| 144 | "name" : "My Awesome App", | ||
| 145 | "secret" : "your-client-secret", | ||
| 146 | "publicClient" : false, | ||
| 147 | "clientId" : "my-awesome-client", | ||
| 148 | "optionalClientScopes" : [], | ||
| 149 | "implicitFlowEnabled" : true, | ||
| 150 | "protocol" : "openid-connect", | ||
| 151 | "bearerOnly" : false, | ||
| 152 | "serviceAccountsEnabled" : false | ||
| 153 | } | ||
| 154 | {{/code}} | ||
| 155 | |||
| 156 | Among all the attributes, you should securely save: | ||
| 157 | |||
| 158 | * your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls | ||
| 159 | * your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future** | ||
| 160 | |||
| 161 | === Modifying your client === | ||
| 162 | |||
| 163 | Update your client with a PUT request: | ||
| 164 | |||
| 165 | {{code language="bash"}} | ||
| 166 | # Set your registration token and client id | ||
| 167 | clb_reg_token=... | ||
| 168 | |||
| 169 | # Update the client | ||
| 170 | curl -X PUT https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \ | ||
| 171 | -H "Authorization: Bearer ${clb_reg_token}" \ | ||
| 172 | -H 'Content-Type: application/json' \ | ||
| 173 | -d '{ | ||
| 174 | "clientId": "my-awesome-client", | ||
| 175 | "redirectUris": [ | ||
| 176 | "/relative/redirect/path", | ||
| 177 | "/these/can/use/wildcards/*", | ||
| 178 | "/a/new/redirect/uri" | ||
| 179 | ] | ||
| 180 | }' | | ||
| 181 | |||
| 182 | # Prettify the JSON response | ||
| 183 | json_pp; | ||
| 184 | {{/code}} | ||
| 185 | |||
| 186 | Note that your need to provide your client id both in the endpoint URL and within the body of the request. | ||
| 187 | |||
| 188 | {{warning}} | ||
| 189 | /!\ ** Each time you modify your client, a new registration access token will be generated. You need to track of your token changes to keep access to your client. **/!\ | ||
| 190 | {{/warning}} |