Connecting Science Gateway/Applications hosting framework with the User Registration Portal (URP)

From EGIWiki
Revision as of 09:21, 1 August 2017 by Larocca (talk | contribs) (Created page with "= Overview = This wiki page contains a short overview of the integration steps that Science Gateway/Applications hosting frameworks must complete to contribute to the EGI Applic...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

This wiki page contains a short overview of the integration steps that Science Gateway/Applications hosting frameworks must complete to contribute to the EGI Applications on Demand (AoD) service.

The User Registration Portal (URP) provides the Identity Federation mechanism that enables users to authenticate in any of the connected Science Gateways/Applications hosting frameworks with either social credentials or EGI SSO accounts.

In this wiki, this identity federation is implemented with Unity [1], an authentication & authorization management solution that uses OpenID Connect as standard interface.

Connecting the Science Gateway with the URP


Client service Registration

1. Open the GGUS ticket to operations that include return URIs

2. UNITY team send Client clientID and secretKey


Authorization procedure Unity with Client:

1] The Client sends a request to the OpenID Provider


parameters:
response_type:code
redirect_uri: [[Redirect url]]
client_id:unity-oauth-egrantstate: [[You should generate your own state eg. md5(uniqid(rand(), TRUE));]]

scope:profile openid 

example:
[https://unity.egi.eu/oauth2-as/oauth2-authz https://unity.egi.eu/oauth2-as/oauth2-authz]

response_type=code &client_id=123123123 &redirect_uri=https%3A%2F%2Fclient.pl%2Fauth &scope=openid%20profile


&state=a123a123a123


2] Authorization Server authenticates the End-User.
3] Authorization Server obtains End-User Consent/Authorization.
4] Authorization Server sends the End-User back to the redirect uri from the first request (Redirect url) with code.

example of the response

Location: [https://client.pl/auth https://client.pl/auth]



code=uniquecode123 &state=a123a123a123





5] Client sends the code to the Token Endpoint to receive an Access Token and ID Token in the response.

POST /token HTTP/1.1

Host: [http://client.pl/ client.pl]


Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW


Content-Type: application/x-www-form-urlencoded


grant_type=authorization_code&code=uniquecode123


&redirect_uri=https%3A%2F%2Fclient.pl%2Fauth




6] Client validates the tokens and retrieves the End-User's Subject Identifier.

example:
HTTP/1.1 200 OK

Content-Type: application/json


Cache-Control: no-store


Pragma: no-cache


{


"access_token":"accessToken123",


"token_type":"Bearer",


"expires_in":3600,


"refresh_token":"refreshToken123",


"id_token":"idToken123123"


}

You should decode id_token and make some validation (more information: http://openid.net/specs/openid-connect-basic-1_0.html)


7] Client Gets some information from userpoint endpoint (https://unity.egi.eu/oauth2/userinfo)

example


8] User gets information about user such as email or name in json format

important data:

unity.server.clientId=  [YOUR CLIENT ID]
unity.server.clientSecret= [YOUR SECRET KEY]

unity.server.authorize=[https://unity.egi.eu/oauth2-as/oauth2-authz https://unity.egi.eu/oauth2-as/oauth2-authz]

unity.server.token=[https://unity.egi.eu/oauth2/token https://unity.egi.eu/oauth2/token]

unity.server.base=[https://unity.egi.eu/ https://unity.egi.eu]

full configuration:

List of attributes released by Unity

for scope 'profile':

  • name (string)
  • email (string)
  • confirmedRegistration (true/false) - tells if user has confirmed affiliation request
  • hasActiveSla - (true/false) - tells if user has confirmed resource request

both confirmedRegistration and hasActiveSla have to be set to 'true' to accept user as full member

for scope 'additional':

  • persistent (string) - persistent ID of user given by UNITY. Attribute should be used by SG providers as a source of unique userID.

OpenID Connect for Liferay

OpenId Connect for Liferay is a very rough but effective implementation of the OpenId connect protocol for Liferay. Use this module to authenticate with any OpenId Connect provider.

OpenID Connect for Django

To configure Django project to support OpenID Authentication it is possible to use the django-oidc-auth module.

How to use
$ pip install django-oidc-auth

Then configure the module:

INSTALLED_APPS += ['oidc_auth']

AUTHENTICATION_BACKENDS = ('oidc_auth.auth.OpenIDConnectBackend',) + AUTHENTICATION_BACKENDS

OIDC_AUTH = {
    'DEFAULT_PROVIDER': {
        'issuer': 'https://unity.egi.eu/oauth2',
        'client_id': AUTH_OIDC_CLIENT_ID,
        'client_secret': AUTH_OIDC_SECRET,
    },
    'SCOPES': ['openid', 'profile'],
}

Finally, add this to your urls.py:

urlpatterns = patterns('your.views',
    # ...
    url(r'oidc/', include('oidc_auth.urls')),
)

Run

python manage.py migrate