10_public:3rd_party_app_development

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Nächste Überarbeitung 		Vorhergehende Überarbeitung
10_public:3rd_party_app_development [2017/10/27 13:19]
raffael.sahli angelegt 		10_public:3rd_party_app_development [2019/05/10 07:47] (aktuell)
raffael.sahli [OpenID Connect]
Zeile 1: Zeile 1:
-====== App/Service Development ====== 
- 
-((Artikel wurde aus der Diplomarbeit von Raffael Sahli übernommen,​ siehe  {{00_datacenter:​zentrale_dienste:​aai:​da_sahli_raffael_app_entwicklerdokumentation.pdf|da_sahli_raffael_app_entwicklerdokumentation.pdf}})) 
- 
-===== Description ===== 
- 
-You have a new service (Webapplication,​ mobile app, desktop application,​ …) and you would like using either our AAI (Authentication and Authorization Infrastructure) or access to one of our APIs (Application Progammable Interface) or both. We provide both - a SAML2 infrastructure (Shibboleth) and an OpenID Connect infrastructure. 
- 
-First thing you need to decide is wether your service should be a Shibboleth service provider or a service using OpenID Connect. If you just want authentication and authorization including attribute releasing in a browser-only environement your probably want SAML2 (Shibboleth),​ however OpenID Connect is the more modern protocol and you can achieve the same. In the end it is up to you what you would like to implement. As soon as you want more besides just authenticate in a browser-only environement,​ you will need OpenID Connect since it is the only way to interact with our API services (resource server). 
- 
-It has to be mentioned that our OpenID Connect IdP is a layer on the top of shibboleth, meaning every OpenID Connect provider is a shibboleth provider as well. But a shibboleth provider is not necessarily an OpenID Connect provider. 
- 
 ===== Register your app ===== ===== Register your app =====
  
-First thing you're required to do is regsiter ​your app.+First thing you're required to do is register ​your app.
  
-<WRAP center round info 100%> There is no interface yet for self register your app. </​WRAP>​ +Please write a mail to [[support@gyselroth.com|]] with the following information:​
- +
-Please write a mail to [[support@gselroth.com|support@gselroth.com]] with the following information:​+
  
   - App name   - App name
   - App description   - App description
-  - App logo (OPTIONAL) +  - HTTPS-URL to App logo (OPTIONAL) 
-  - Protocol (Shibboleth or OpenID Connect) (Usually you want OpenID Connect here)+  - Protocol (OpenID Connect ​or Shibboleth) (Usually you want OpenID Connect here).
  
 ==== Shibboleth ==== ==== Shibboleth ====
  
-If you have choosen Shibboleth for nr. 4, wee need the following additional information:​+If you have choosen Shibboleth for nr. 4, we need the following additional information:​
  
   - URL to your SP (service provider) Metadata   - URL to your SP (service provider) Metadata
 +
  
 ==== OpenID Connect ==== ==== OpenID Connect ====
  
-If you have choosen OpenID Connect for nr. 4, wee need the following additional information:​+If you have choosen OpenID Connect for nr. 4, we need the following additional information:​
  
   - Client authentication method (Usually you want "​client_secret_post"​ here) (See [[http://​openid.net/​specs/​openid-connect-core-1_0.html#​ClientAuthentication|OpenID-Connect Specification part 9]])   - Client authentication method (Usually you want "​client_secret_post"​ here) (See [[http://​openid.net/​specs/​openid-connect-core-1_0.html#​ClientAuthentication|OpenID-Connect Specification part 9]])
   - App type (Android app, JavaScript app, desktop app, webserver app, …)   - App type (Android app, JavaScript app, desktop app, webserver app, …)
   - redirect_uri   - redirect_uri
 +
  
 ===== Resource server ===== ===== Resource server =====
Zeile 44: Zeile 32:
 ^Name^API Version^URL^Typ| ^Name^API Version^URL^Typ|
 |IN2|v1|[[https://​api.tam.ch|https://​api.tam.ch]]|JSON/​XML REST| |IN2|v1|[[https://​api.tam.ch|https://​api.tam.ch]]|JSON/​XML REST|
-|CloudFS|v1|[[https://​cloudfs.tam.ch/​api|https://​cloudfs.tam.ch/​api]]|JSON/​XML REST|+|balloon|v1 / v2|[[https://balloon.tam.ch/​api|https://​balloon.tam.ch/​api]]|JSON/​XML REST|
  
 ===== Shibboleth ===== ===== Shibboleth =====
Zeile 83: Zeile 71:
 ===== OpenID Connect ===== ===== OpenID Connect =====
  
-Please go to Shibboleth if you have a shibboleth-only SP.+See the Shibboleth ​part if you have a shibboleth-only SP.
  
-OpenID Connect is a modern protocol based on OAUTH2 meant for authentication. ​Please read [[http://​openid.net/​connect|http://​openid.net/​connect ]]if you are not familiar with the protocol.+OpenID Connect is a modern protocol based on OAUTH2 meant for authentication. ​Read [[http://​openid.net/​connect|http://​openid.net/​connect ]]if you are not familiar with the protocol.
  
-{{:00_datacenter:​zentrale_dienste:​aai:​mobile_aai.png?​650}}+{{:10_public:​mobile_aai.png?​650}}
  
 ==== Discovery ==== ==== Discovery ====
Zeile 95: Zeile 83:
 ==== Attributes ==== ==== Attributes ====
  
-Your can receive the follwing ​user attributes by query the userinfo endpoint (See discovery) [[https://​accounts.tam.ch/​userinfo|https://​accounts.tam.ch/​userinfo]] (Depending which scopes you have requested during requesting the token).+You are able to receive the following ​user attributes by query the userinfo endpoint (See discovery) [[https://​accounts.tam.ch/​userinfo|https://​accounts.tam.ch/​userinfo]] (Depending which scopes you have requested during requesting the token).
  
 ^**Attribute** ​  ​^**Description** ​  ​^Scope| ^**Attribute** ​  ​^**Description** ​  ​^Scope|
Zeile 138: Zeile 126:
 |scope|openid profile email intranet offline_access|Scopes to query, you should always request openid and profile. **Note**: If you want to query an intranet2 API you are required to request the scope intranet as well.| |scope|openid profile email intranet offline_access|Scopes to query, you should always request openid and profile. **Note**: If you want to query an intranet2 API you are required to request the scope intranet as well.|
 |state|Random String|Random string to prevent cross-site-request-forgery attacks.| |state|Random String|Random string to prevent cross-site-request-forgery attacks.|
 +|prompt|consent|prompt=consent is required if you would like to obtain an refresh token|
  
 Example authentication request: Example authentication request:
  
 <​code>​ <​code>​
-https://​accounts.tam.ch/​auth?​redirect_uri=https%3A%2F%2Fcloudfs.tam.ch&​scope=openid%20offline_access&​client_id=my_client_id&​response_type=code+https://​accounts.tam.ch/​auth?​redirect_uri=https://cloudfs.tam.ch&​scope=openid ​offline_access&​client_id=my_client_id&​response_type=code&​prompt=consent
 </​code>​ </​code>​
  
Zeile 168: Zeile 157:
 Example token request: Example token request:
  
-[[https://​accounts.tam.ch/​token|https://​accounts.tam.ch/​token]] with POST parameters ''​grant_type=authorization_code&​code=sJi902gBBcGG_icj0pOnFoQDL_o0Pju9RNXEjGGL9-Y&​redirect_uri=https%3A%2F%2Fcloudfs.tam.ch&​client_id=my_client_id&​client_secret=my_client_secret''​+[[https://​accounts.tam.ch/​token|https://​accounts.tam.ch/​token]] with POST parameters ''​grant_type=authorization_code&​code=sJi902gBBcGG_icj0pOnFoQDL_o0Pju9RNXEjGGL9-Y&​redirect_uri=[[https://cloudfs.tam.ch&​client_id=my_client_id&​client_secret=my_client_secret|https://​cloudfs.tam.ch&​client_id=my_client_id&​client_secret=my_client_secret]]''​
  
 If you have choosen client_secret_basic as client authentication method during app registration your are required to send the client credentials in the basic scheme along the token POST request instead attaching them as POST parameters: If you have choosen client_secret_basic as client authentication method during app registration your are required to send the client credentials in the basic scheme along the token POST request instead attaching them as POST parameters:
Zeile 190: Zeile 179:
 With the access_token you have received above you can now query an API (resource server). With the access_token you have received above you can now query an API (resource server).
  
-<​code>​ +=== Refresh Access Token ===
-\\  ​=== Refresh Access Token === +
-</​code>​+
  
 With the refresh_token you have received you can get a new access_token. With the refresh_token you have received you can get a new access_token.
Zeile 214: Zeile 201:
 The response from the authentication server is the same as for the token request above except that it might not contain an id_token. The response from the authentication server is the same as for the token request above except that it might not contain an id_token.
  
-<​code>​ +==== Implicit Grant ====
-\\  ​==== Implicit Grant ==== +
-</​code>​+
  
 Use the implicit grant for applications which can **not** ​ store a client_secret secretly. A good example of such an application is a web SPA (Single page application). Use the implicit grant for applications which can **not** ​ store a client_secret secretly. A good example of such an application is a web SPA (Single page application).
Zeile 235: Zeile 220:
  
 <​code>​ <​code>​
-https://​accounts.tam.ch/​token?​response_type=id_token token&​state=551ffbec-40ea-43b0-bb7d-4e509615be55&​redirect_uri=https://​cloudfs.tam.ch&​client_id=my_client_id&​scope=openid&​nonce=t8+mAHzTW8jGDVjesgxu65HsJFoMdv+https://​accounts.tam.ch/​auth?​response_type=id_token token&​state=551ffbec-40ea-43b0-bb7d-4e509615be55&​redirect_uri=https://​cloudfs.tam.ch&​client_id=my_client_id&​scope=openid&​nonce=t8 mAHzTW8jGDVjesgxu65HsJFoMdv
 </​code>​ </​code>​
  
Zeile 250: Zeile 235:
 <WRAP center round info 100%> Note that access tokens which are created during implicit auth will expire after 3600s, therefore you are required to the same request for an access_token above again. </​WRAP>​ <WRAP center round info 100%> Note that access tokens which are created during implicit auth will expire after 3600s, therefore you are required to the same request for an access_token above again. </​WRAP>​
  
-<​code>​ +=== JavaScript code example ===
-\\  ​=== JavaScript code example === +
-</​code>​+
  
 This code example provides an insight how to authenticate with your AAI and get an access token to query a resource server (CloudFS): This code example provides an insight how to authenticate with your AAI and get an access token to query a resource server (CloudFS):
Zeile 278: Zeile 261:
  */  */
 extractToken:​ function(hash) { extractToken:​ function(hash) {
-    var match = hash.match(/​access_token=(\w+)/);+    var match = hash.match(/​access_token=(\w )/);
     return !!match && match[1];     return !!match && match[1];
 }, },
Zeile 289: Zeile 272:
     var options = {     var options = {
         type:'​GET',​         type:'​GET',​
-        url: client.CLOUDFS_API+'/​api/​auth',​+        url: client.CLOUDFS_API '/​api/​auth',​
         statusCode: {         statusCode: {
             401: function() {             401: function() {
Zeile 304: Zeile 287:
  
     if(client.access_token != ''​) {     if(client.access_token != ''​) {
-        options.headers = { "​Authorization":​ '​Bearer '+client.access_token,​ }+        options.headers = { "​Authorization":​ '​Bearer ' client.access_token,​ }
     }     }
  
Zeile 315: Zeile 298:
 initOauth2: function() { initOauth2: function() {
     var nonce = ''​(Math.random()*1e32).toString(36);''​     var nonce = ''​(Math.random()*1e32).toString(36);''​
-    window.location.href = client.OAUTH2_AUTH_SERVER+'/​cloudfs?​response_type=token&​client_id='​+ +    window.location.href = client.OAUTH2_AUTH_SERVER '/​cloudfs?​response_type=token&​client_id='​ 
-      client.OAUTH2_CLIENT_ID+'&​nonce='​+nonce+'&​redirect_uri='​+client.OAUTH2_REDIRECT_URI+'&​scope='​+<font inherit/​inherit;;​black;;​inherit>​encodeURIComponent(</​font>​client.OAUTH2_SCOPE);​+      client.OAUTH2_CLIENT_ID '&​nonce='​ nonce '&​redirect_uri='​ client.OAUTH2_REDIRECT_URI '&​scope='​ <font inherit/​inherit;;​black;;​inherit>​encodeURIComponent(</​font>​client.OAUTH2_SCOPE);​
 }, },
  
Zeile 324: Zeile 307:
 callCloudfsApi:​ function() { callCloudfsApi:​ function() {
     $.ajax({     $.ajax({
-        url: client.CLOUDFS_API+'/​v'​+client.CLOUDFS_API_VERSION+'/​children',​+        url: client.CLOUDFS_API '/​v'​ client.CLOUDFS_API_VERSION '/​children',​
         type: '​GET', ​ dataType: '​json',​         type: '​GET', ​ dataType: '​json',​
         statusCode: {         statusCode: {
Zeile 334: Zeile 317:
             }             }
         },         },
-        headers = {  "​Authorization":​ '​Bearer '+client.access_token, ​ }+        headers = {  "​Authorization":​ '​Bearer ' client.access_token, ​ }
     });     });
 } }
Zeile 340: Zeile 323:
 </​code>​ </​code>​
  
-<​code>​ +==== Introspection ====
-\\  ​==== Introspection ==== +
-</​code>​+
  
 An endpoint for token introspection is available at [[https://​accounts.tam.ch/​introspect|https://​accounts.tam.ch/​introspect]] (See discovery). The introspection endpoint can be queried with an access_token to check if the token is valid (e.g. for resource servers to verify the token of a user). An endpoint for token introspection is available at [[https://​accounts.tam.ch/​introspect|https://​accounts.tam.ch/​introspect]] (See discovery). The introspection endpoint can be queried with an access_token to check if the token is valid (e.g. for resource servers to verify the token of a user).
Zeile 373: Zeile 354:
 </​code>​ </​code>​
  
-==== Revocation ​====+==== Revoke tokens ​====
  
 An endpoint for token revocation is available at [[https://​accounts.tam.ch/​revoke|https://​accounts.tam.ch/​revoke]] (See discovery). The revocation endpoint can be queried with an access_token or a refresh_token to revoke this token. An endpoint for token revocation is available at [[https://​accounts.tam.ch/​revoke|https://​accounts.tam.ch/​revoke]] (See discovery). The revocation endpoint can be queried with an access_token or a refresh_token to revoke this token.
Zeile 389: Zeile 370:
  
 If the client credentials were valid, the server responds with a HTTP status 200, meaning the token is revoked. If the client credentials were valid, the server responds with a HTTP status 200, meaning the token is revoked.
 +
 +==== Single-Sign-on Button ====
 +
 +You should use this button to link to our AAI infrastructure for both Shibboleth an OpenID-connect apps.
 +
 +{{:​10_public:​button_aai_login.png}}
  
 \\ \\
 +
  
  • 10_public/3rd_party_app_development.1509110382.txt.gz
  • Zuletzt geändert: 2017/10/27 13:19
  • (Externe Bearbeitung)