Identity and Access Management (IAM) Identity and Access Management (IAM)


Accessing D4Science Resources - how to

Please make sure you read the IAM Concepts before proceeding.

D4Science adopts state-of-the-art industry standards for authentication and authorization. In particular, the implementation fully adopts OIDC (OpenID Connect) for authentication and UMA 2 (User Managed Authorization) for authorization flows. Both protocols are specializations of the generic OAuth 2.0 specification. JSON Web Token (JWT) Access token are used for both authentication and authorization.

Perform authorised calls to D4Science Resources

At this point you have an application that is integrated in D4Science and is capable to read the OIDC token used for authentication. Your application can perform authorised call to D4Science Resources (e.g. D4Science service APIs).

Each VRE/VLab defines a context where providing access to a (sub)set of services and data, therefore contexts are also modelled as resources. In other words, a context indentifies uniquely a VLab/VRE, for instance the AnalyticsLab VRE context is "/". 

With the OIDC token you can obtain an (UMA) Access Token that can be used to perform authorised call on D4Science resources under a context as follows:


curl --location --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer eyJhbGc****' \  <-- OIDC token goes here
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \ 
--data-urlencode '' <-- encoded context goes here (replace / with %2F) 

Please note:

  • the Authorization header uses the Bearer HTTP authentication scheme which contains the word Bearer, followed by a space and the OIDC Token;
  • data-urlencode 'grant_type .. is fixed;
  • data-urlencode 'audience' changes depending on the context (VRE/VLab) an it is uri encoded (the '/' should be replaced by '%2F')

The returned token will look something like the following one:

    "upgraded": false,
    "access_token": "eyJhbGci***vw",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6I...hbWUiCa9SXI",
    "token_type": "Bearer",
    "not-before-policy": 1618317421

Actual service calls

In order to invoke a service it will be necessary to insert the access_token component as bearer token in the Authorization header of the call to the service. For example, a call to list the items of the catalogue on a given context would look like the following:


curl --location --request GET '' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGci***vw'


Please note: the access token has an expiration date (tipically few minutes), your application should take care of refreshing the token when necessary. To do so, note that you have the refresh token at you disposal in (1) step. Check this guide to know how to refresh it.