10_public:3rd_party_app_development

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung 		Vorhergehende Überarbeitung
10_public:3rd_party_app_development [2017/10/27 13:55]
raffael.sahli [Description] 		10_public:3rd_party_app_development [2019/05/10 07:47] (aktuell)
raffael.sahli [OpenID Connect]
Zeile 1: Zeile 1:
-====== App/Service Development ====== 
- 
-((Artikel wurde aus der Diplomarbeit von Raffael Sahli übernommen,​ siehe  {{00_datacenter:​zentrale_dienste:​aai:​da_sahli_raffael_app_entwicklerdokumentation.pdf|da_sahli_raffael_app_entwicklerdokumentation.pdf}})) 
- 
-===== Description ===== 
- 
-Do you have a service (Web application,​ mobile app, desktop application,​ …) and you would like using either our AAI (Authentication and Authorization Infrastructure) or access one of our API (Application Programmable Interface) or both? We provide both - a SAML2 infrastructure (Shibboleth) and an OpenID Connect infrastructure. 
- 
-First thing you need to decide is weather your service should be a Shibboleth service provider or a service using OpenID-connect. If you just want authentication and authorization including attribute releasing in a browser-only environment your probably want SAML2 (Shibboleth),​ however OpenID Connect is the more modern protocol and you can achieve the same. In the end it is up to you what you would like to implement. As soon as you want more besides just authenticate in a browser-only environment,​ you will need OpenID Connect since it is the only way to interact with our API services (resource server). 
- 
-It has to be mentioned that our OpenID Connect IdP is a layer on the top of shibboleth, meaning every OpenID Connect provider is a shibboleth provider as well. But a shibboleth provider is not necessarily an OpenID Connect provider. 
- 
 ===== Register your app ===== ===== Register your app =====
  
-First thing you're required to do is regsiter ​your app.+First thing you're required to do is register ​your app.
  
-<WRAP center round info 100%> There is no interface yet for self register your app. </​WRAP>​ +Please write a mail to [[support@gyselroth.com|]] with the following information:​
- +
-Please write a mail to [[support@gselroth.com|support@gselroth.com]] with the following information:​+
  
   - App name   - App name
   - App description   - App description
-  - App logo (OPTIONAL) +  - HTTPS-URL to App logo (OPTIONAL) 
-  - Protocol (Shibboleth or OpenID Connect) (Usually you want OpenID Connect here)+  - Protocol (OpenID Connect ​or Shibboleth) (Usually you want OpenID Connect here).
  
 ==== Shibboleth ==== ==== Shibboleth ====
  
-If you have chosen ​Shibboleth we need the following additional information:​+If you have choosen ​Shibboleth ​for nr. 4, we need the following additional information:​
  
   - URL to your SP (service provider) Metadata   - URL to your SP (service provider) Metadata
 +
  
 ==== OpenID Connect ==== ==== OpenID Connect ====
  
-If you have chosen ​OpenID Connect, we need the following additional information:​+If you have choosen ​OpenID Connect ​for nr. 4, we need the following additional information:​
  
   - Client authentication method (Usually you want "​client_secret_post"​ here) (See [[http://​openid.net/​specs/​openid-connect-core-1_0.html#​ClientAuthentication|OpenID-Connect Specification part 9]])   - Client authentication method (Usually you want "​client_secret_post"​ here) (See [[http://​openid.net/​specs/​openid-connect-core-1_0.html#​ClientAuthentication|OpenID-Connect Specification part 9]])
   - App type (Android app, JavaScript app, desktop app, webserver app, …)   - App type (Android app, JavaScript app, desktop app, webserver app, …)
   - redirect_uri   - redirect_uri
 +
  
 ===== Resource server ===== ===== Resource server =====
Zeile 44: Zeile 32:
 ^Name^API Version^URL^Typ| ^Name^API Version^URL^Typ|
 |IN2|v1|[[https://​api.tam.ch|https://​api.tam.ch]]|JSON/​XML REST| |IN2|v1|[[https://​api.tam.ch|https://​api.tam.ch]]|JSON/​XML REST|
-|CloudFS|v1|[[https://​cloudfs.tam.ch/​api|https://​cloudfs.tam.ch/​api]]|JSON/​XML REST|+|balloon|v1 / v2|[[https://balloon.tam.ch/​api|https://​balloon.tam.ch/​api]]|JSON/​XML REST|
  
 ===== Shibboleth ===== ===== Shibboleth =====
Zeile 88: Zeile 76:
  
 {{:​10_public:​mobile_aai.png?​650}} {{:​10_public:​mobile_aai.png?​650}}
 +
 ==== Discovery ==== ==== Discovery ====
  
Zeile 94: Zeile 83:
 ==== Attributes ==== ==== Attributes ====
  
-Your can receive the follwing ​user attributes by query the userinfo endpoint (See discovery) [[https://​accounts.tam.ch/​userinfo|https://​accounts.tam.ch/​userinfo]] (Depending which scopes you have requested during requesting the token).+You are able to receive the following ​user attributes by query the userinfo endpoint (See discovery) [[https://​accounts.tam.ch/​userinfo|https://​accounts.tam.ch/​userinfo]] (Depending which scopes you have requested during requesting the token).
  
 ^**Attribute** ​  ​^**Description** ​  ​^Scope| ^**Attribute** ​  ​^**Description** ​  ​^Scope|
Zeile 137: Zeile 126:
 |scope|openid profile email intranet offline_access|Scopes to query, you should always request openid and profile. **Note**: If you want to query an intranet2 API you are required to request the scope intranet as well.| |scope|openid profile email intranet offline_access|Scopes to query, you should always request openid and profile. **Note**: If you want to query an intranet2 API you are required to request the scope intranet as well.|
 |state|Random String|Random string to prevent cross-site-request-forgery attacks.| |state|Random String|Random string to prevent cross-site-request-forgery attacks.|
 +|prompt|consent|prompt=consent is required if you would like to obtain an refresh token|
  
 Example authentication request: Example authentication request:
  
 <​code>​ <​code>​
-https://​accounts.tam.ch/​auth?​redirect_uri=https%3A%2F%2Fcloudfs.tam.ch&​scope=openid%20offline_access&​client_id=my_client_id&​response_type=code+https://​accounts.tam.ch/​auth?​redirect_uri=https://cloudfs.tam.ch&​scope=openid ​offline_access&​client_id=my_client_id&​response_type=code&​prompt=consent
 </​code>​ </​code>​
  
Zeile 167: Zeile 157:
 Example token request: Example token request:
  
-[[https://​accounts.tam.ch/​token|https://​accounts.tam.ch/​token]] with POST parameters ''​grant_type=authorization_code&​code=sJi902gBBcGG_icj0pOnFoQDL_o0Pju9RNXEjGGL9-Y&​redirect_uri=https%3A%2F%2Fcloudfs.tam.ch&​client_id=my_client_id&​client_secret=my_client_secret''​+[[https://​accounts.tam.ch/​token|https://​accounts.tam.ch/​token]] with POST parameters ''​grant_type=authorization_code&​code=sJi902gBBcGG_icj0pOnFoQDL_o0Pju9RNXEjGGL9-Y&​redirect_uri=[[https://cloudfs.tam.ch&​client_id=my_client_id&​client_secret=my_client_secret|https://​cloudfs.tam.ch&​client_id=my_client_id&​client_secret=my_client_secret]]''​
  
 If you have choosen client_secret_basic as client authentication method during app registration your are required to send the client credentials in the basic scheme along the token POST request instead attaching them as POST parameters: If you have choosen client_secret_basic as client authentication method during app registration your are required to send the client credentials in the basic scheme along the token POST request instead attaching them as POST parameters:
Zeile 230: Zeile 220:
  
 <​code>​ <​code>​
-https://​accounts.tam.ch/​token?​response_type=id_token token&​state=551ffbec-40ea-43b0-bb7d-4e509615be55&​redirect_uri=https://​cloudfs.tam.ch&​client_id=my_client_id&​scope=openid&​nonce=t8+mAHzTW8jGDVjesgxu65HsJFoMdv+https://​accounts.tam.ch/​auth?​response_type=id_token token&​state=551ffbec-40ea-43b0-bb7d-4e509615be55&​redirect_uri=https://​cloudfs.tam.ch&​client_id=my_client_id&​scope=openid&​nonce=t8 mAHzTW8jGDVjesgxu65HsJFoMdv
 </​code>​ </​code>​
  
Zeile 271: Zeile 261:
  */  */
 extractToken:​ function(hash) { extractToken:​ function(hash) {
-    var match = hash.match(/​access_token=(\w+)/);+    var match = hash.match(/​access_token=(\w )/);
     return !!match && match[1];     return !!match && match[1];
 }, },
Zeile 282: Zeile 272:
     var options = {     var options = {
         type:'​GET',​         type:'​GET',​
-        url: client.CLOUDFS_API+'/​api/​auth',​+        url: client.CLOUDFS_API '/​api/​auth',​
         statusCode: {         statusCode: {
             401: function() {             401: function() {
Zeile 297: Zeile 287:
  
     if(client.access_token != ''​) {     if(client.access_token != ''​) {
-        options.headers = { "​Authorization":​ '​Bearer '+client.access_token,​ }+        options.headers = { "​Authorization":​ '​Bearer ' client.access_token,​ }
     }     }
  
Zeile 308: Zeile 298:
 initOauth2: function() { initOauth2: function() {
     var nonce = ''​(Math.random()*1e32).toString(36);''​     var nonce = ''​(Math.random()*1e32).toString(36);''​
-    window.location.href = client.OAUTH2_AUTH_SERVER+'/​cloudfs?​response_type=token&​client_id='​+ +    window.location.href = client.OAUTH2_AUTH_SERVER '/​cloudfs?​response_type=token&​client_id='​ 
-      client.OAUTH2_CLIENT_ID+'&​nonce='​+nonce+'&​redirect_uri='​+client.OAUTH2_REDIRECT_URI+'&​scope='​+<font inherit/​inherit;;​black;;​inherit>​encodeURIComponent(</​font>​client.OAUTH2_SCOPE);​+      client.OAUTH2_CLIENT_ID '&​nonce='​ nonce '&​redirect_uri='​ client.OAUTH2_REDIRECT_URI '&​scope='​ <font inherit/​inherit;;​black;;​inherit>​encodeURIComponent(</​font>​client.OAUTH2_SCOPE);​
 }, },
  
Zeile 317: Zeile 307:
 callCloudfsApi:​ function() { callCloudfsApi:​ function() {
     $.ajax({     $.ajax({
-        url: client.CLOUDFS_API+'/​v'​+client.CLOUDFS_API_VERSION+'/​children',​+        url: client.CLOUDFS_API '/​v'​ client.CLOUDFS_API_VERSION '/​children',​
         type: '​GET', ​ dataType: '​json',​         type: '​GET', ​ dataType: '​json',​
         statusCode: {         statusCode: {
Zeile 327: Zeile 317:
             }             }
         },         },
-        headers = {  "​Authorization":​ '​Bearer '+client.access_token, ​ }+        headers = {  "​Authorization":​ '​Bearer ' client.access_token, ​ }
     });     });
 } }
 } }
 </​code>​ </​code>​
- 
  
 ==== Introspection ==== ==== Introspection ====
Zeile 365: Zeile 354:
 </​code>​ </​code>​
  
-==== Revocation ​====+==== Revoke tokens ​====
  
 An endpoint for token revocation is available at [[https://​accounts.tam.ch/​revoke|https://​accounts.tam.ch/​revoke]] (See discovery). The revocation endpoint can be queried with an access_token or a refresh_token to revoke this token. An endpoint for token revocation is available at [[https://​accounts.tam.ch/​revoke|https://​accounts.tam.ch/​revoke]] (See discovery). The revocation endpoint can be queried with an access_token or a refresh_token to revoke this token.
Zeile 381: Zeile 370:
  
 If the client credentials were valid, the server responds with a HTTP status 200, meaning the token is revoked. If the client credentials were valid, the server responds with a HTTP status 200, meaning the token is revoked.
-\\ 
  
 ==== Single-Sign-on Button ==== ==== Single-Sign-on Button ====
  
-You can use this button to link to our AAI infrastructure for both Shibboleth an OpenID-connect apps.+You should ​use this button to link to our AAI infrastructure for both Shibboleth an OpenID-connect apps.
  
 {{:​10_public:​button_aai_login.png}} {{:​10_public:​button_aai_login.png}}
 +
 +\\
 +
 +
  • 10_public/3rd_party_app_development.1509112548.txt.gz
  • Zuletzt geändert: 2017/10/27 13:55
  • von raffael.sahli