You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (JIRA)" <ji...@apache.org> on 2018/10/11 17:06:00 UTC
[jira] [Commented] (AIRAVATA-2889) Use service account to
authenticate Django portal to IamAdminService
[ https://issues.apache.org/jira/browse/AIRAVATA-2889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16646767#comment-16646767 ]
Marcus Christie commented on AIRAVATA-2889:
-------------------------------------------
Some investigation into getting a service account token
https://www.keycloak.org/docs/4.5/server_admin/#_service_accounts
h5. Getting a token
{noformat}
curl -u <client_id:client_secret> -d grant_type=client_credentials https://iamdev.scigap.org/auth/realms/seagrid/protocol/openid-connect/token
{noformat}
h5. Getting userinfo
{noformat}
curl -H "Authorization: Bearer $ACCESS_TOKEN" https://iamdev.scigap.org/auth/realms/seagrid/protocol/openid-connect/userinfo | python3 -m json.tool
{
"sub": "8abe883d-bc31-4d71-9731-ba66428fec29",
"name": "",
"preferred_username": "service-account-pga",
"email": "service-account-pga@placeholder.org"
}
{noformat}
h5. Token introspection
{noformat}
curl -u pga:<client_secret> -d token=$ACCESS_TOKEN https://iamdev.scigap.org/auth/realms/seagrid/protocol/openid-connect/token/introspect | python3 -m json.tool
{
"jti": "ab2ada96-c25f-47f5-916c-3eed44391964",
"exp": 1538582518,
"nbf": 0,
"iat": 1538580718,
"iss": "https://iamdev.scigap.org/auth/realms/seagrid",
"aud": "pga",
"sub": "8abe883d-bc31-4d71-9731-ba66428fec29",
"typ": "Bearer",
"azp": "pga",
"auth_time": 0,
"session_state": "ac500c97-06c1-43f0-bab2-1b487e9f7abd",
"name": "",
"preferred_username": "service-account-pga",
"email": "service-account-pga@placeholder.org",
"acr": "1",
"client_session": "8ddde058-3b77-40d5-8b22-591ddcd50a9a",
"allowed-origins": [
"https://dev.seagrid.org"
],
"realm_access": {
"roles": [
"uma_authorization"
]
},
"resource_access": {
"pga": {
"roles": [
"uma_protection",
"gateway-user"
]
},
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"clientId": "pga",
"clientHost": "149.160.159.219",
"clientAddress": "149.160.159.219",
"client_id": "pga",
"username": "service-account-pga",
"active": true
}
{noformat}
Added manage-users to 'pga' client under the Service Account Roles tab. See https://www.keycloak.org/docs/latest/server_admin/index.html#_service_accounts
With that I was able to authenticate to the REST API and get a list of users
{noformat}
curl -vvv -H "Authorization: Bearer $ACCESS_TOKEN" https://iamdev.scigap.org/auth/admin/realms/seagrid/users/ | python3 -m json.tool
{noformat}
> Use service account to authenticate Django portal to IamAdminService
> --------------------------------------------------------------------
>
> Key: AIRAVATA-2889
> URL: https://issues.apache.org/jira/browse/AIRAVATA-2889
> Project: Airavata
> Issue Type: Improvement
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> PGA uses the realm admin's username and password, but it would be better if we could just use the existing client_id and client_secret to get an access token for authenticating with the IAM Admin Services API.
> h5. TODO
> * [ ] Add *manage-users* role from the *realm-management* client to the automatically generated PGA client in the tenant creation code
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)