Identity and Access Management (IAM)
Accessing D4Science Resources - how to
Please make sure you read the IAM Concepts before proceeding.
D4Science adopts state-of-the-art industry standards for authentication and authorization. In particular, the implementation fully adopts OIDC (OpenID Connect) for authentication and UMA 2 (User Managed Authorization) for authorization flows. Both protocols are specializations of the generic OAuth 2.0 specification. JSON Web Token (JWT) Access token are used for both authentication and authorization.
Perform authorised calls to D4Science Resources
At this point you have an application that is integrated in D4Science and is capable to read the OIDC token used for authentication. Your application can perform authorised call to D4Science Resources (e.g. D4Science service APIs).
Each VRE/VLab defines a context where providing access to a (sub)set of services and data, therefore contexts are also modelled as resources. In other words, a context indentifies uniquely a VLab/VRE, for instance the AnalyticsLab VRE context is "/d4science.research-infrastructures.eu/D4Research/AnalyticsLab".
With the OIDC token you can obtain an (UMA) Access Token that can be used to perform authorised call on D4Science resources under a context as follows:
(1)
type: POST
request URL: https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGc****' \ <-- OIDC token goes here
Body as x-www-form-urlencoded with 2 attributes as follows:
key: grant_type
value: urn:ietf:params:oauth:grant-type:uma-ticket
key: audience
value: %2Fd4science.research-infrastructures.eu%2FD4OS ...
The HTTP Request below is an equivalent of the above one given in curl syntax, the equivalent HTTP can be perform in any language. curl --location --request POST 'https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Bearer eyJhbGc****' \<-- OIDC token goes here--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \ --data-urlencode 'audience=%2fd4science.research-infrastructures.eu%2fD4Research%2fAnalyticsLab'<-- encoded context goes here (replace / with %2F)
Please note:
- the Authorization header uses the Bearer HTTP authentication scheme which contains the word Bearer, followed by a space and the OIDC Token;
- data-urlencode 'grant_type .. is fixed;
- data-urlencode 'audience' changes depending on the context (VRE/VLab) an it is uri encoded (the '/' should be replaced by '%2F')
The returned token will look something like the following one:
{
"upgraded": false,
"access_token": "eyJhbGci***vw",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6I...hbWUiCa9SXI",
"token_type": "Bearer",
"not-before-policy": 1618317421
}
Actual service calls
In order to invoke a service it will be necessary to insert the access_token component as bearer token in the Authorization header of the call to the service. For example, a call to list the items of the catalogue on a given context would look like the following:
(2) The HTTP Request below is an example given in curl syntax, the equivalent HTTP can be perform in any language.
Please note: the access token has an expiration date (tipically few minutes), your application should take care of refreshing the token when necessary. To do so, note that you have the refresh token at you disposal in (1) step. Check this guide to know how to refresh it.
type: POST request URL: https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token Content-Type: application/x-www-form-urlencoded Authorization: Basic *******' Body as x-www-form-urlencoded with 2 attributes as follows: key: grant_type value: urn:ietf:params:oauth:grant-type:uma-ticket key: audience value: %2Fd4science.research-infrastructures.eu%2FD4OS ...The HTTP Request below is an example given in curl syntax, the equivalent HTTP can be perform in any language.