Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2023-12-19 13:40:24
|
Hi Krzysztof,
hi Roman,
we spend some additional time to setup the SCIM API. While creating the
common User schema, we found an issue. For the multi-valued attribute
"entitlements" unity releases the correct number of values, but it only
repeats the first one. Is there an error in our schema definition or is
this a bug?
I added the schema and a screenshot of the attribute values. The
shortened output is:
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"89b9113
0-8a11-4cef-9f51-
ff5308fd8261","meta":{"resourceType":"User","created":"2018-02-
27T14:09:50Z","lastModified":"2018-02-
27T14:09:50Z","location":"https://login-dev.helmholtz.de/scim/Users/89b91130-8a11-4cef-9f51-ff5308fd8261"},"urn:ietf:params:scim:schemas:core:2.0:User":{...,"entitlements":[{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"}]
}}
Best regards,
Sander
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Sander A. <sa....@fz...> - 2023-12-20 07:41:25
Attachments:
smime.p7s
|
Good morning,
while reading the manual once again, I found the error in our schema
file. It works fine.
Since only the administrators have username/password, we want to enable
Oauth tokens for the SCIM API. Do we need to create an authenticator
which is using unity itself for validating the tokens?
Best regards,
Sander
On Tue, 2023-12-19 at 14:40 +0100, Sander Apweiler wrote:
> Hi Krzysztof,
> hi Roman,
>
> we spend some additional time to setup the SCIM API. While creating
> the
> common User schema, we found an issue. For the multi-valued attribute
> "entitlements" unity releases the correct number of values, but it
> only
> repeats the first one. Is there an error in our schema definition or
> is
> this a bug?
>
> I added the schema and a screenshot of the attribute values. The
> shortened output is:
>
>
> {"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"89b91
> 13
> 0-8a11-4cef-9f51-
> ff5308fd8261","meta":{"resourceType":"User","created":"2018-02-
> 27T14:09:50Z","lastModified":"2018-02-
> 27T14:09:50Z","location":"
> https://login-dev.helmholtz.de/scim/Users/89b91130-8a11-4cef-9f51-
> ff5308fd8261"},"urn:ietf:params:scim:schemas:core:2.0:User":{...,"ent
> itlements":[{"value":"urn:geant:helmholtz.de:group:demoVO#login-
> dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#logi
> n-
> dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#logi
> n-dev.helmholtz.de"}]
> }}
>
> Best regards,
> Sander
>
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2023-12-20 11:57:08
|
Hi Sander, W dniu 20.12.2023 o 08:41, Sander Apweiler pisze: > Good morning, > while reading the manual once again, I found the error in our schema > file. It works fine. good to hear that > Since only the administrators have username/password, we want to enable > Oauth tokens for the SCIM API. Do we need to create an authenticator > which is using unity itself for validating the tokens? Yes. It is not strictly required, but most likely this is what you want. Do not forget about granting proper authZ with OAuth scopes (as described in manual). Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-12-21 12:44:59
|
Hi Krzysztof, I created a new authenticator (OAuth 2 verifying local tokens) and added the scopes oidc profile email entitlements sys:scim:read_profile sys:scim:read_membership. I added this authenticator to the SCIM API as well. I generated an ODIC token using the oidc-agent and the same scopes. But using curl https://login-dev.helmholtz.de/scim/Me -H "Authorization: Basic $TOKEN", I got Bad Request and unity logs has a null pointer exception (stacktrace is attached). Did I forgot to add some configuration in addition? Using username/password on the SCIM API works. Best regards, Sander On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 20.12.2023 o 08:41, Sander Apweiler pisze: > > Good morning, > > while reading the manual once again, I found the error in our > > schema > > file. It works fine. > > good to hear that > > > > Since only the administrators have username/password, we want to > > enable > > Oauth tokens for the SCIM API. Do we need to create an > > authenticator > > which is using unity itself for validating the tokens? > > Yes. It is not strictly required, but most likely this is what you > want. > > Do not forget about granting proper authZ with OAuth scopes (as > described in manual). > > Best, > Krzysztof > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Bernd S. <b.s...@fz...> - 2023-12-21 13:19:56
Attachments:
smime.p7s
|
hi, I'm pretty sure that should be -H "Authorization: Bearer $TOKEN" best regards, Bernd On 12/21/23 13:44, Sander Apweiler wrote: > Hi Krzysztof, > I created a new authenticator (OAuth 2 verifying local tokens) and > added the scopes oidc profile email entitlements sys:scim:read_profile > sys:scim:read_membership. I added this authenticator to the SCIM API as > well. > > I generated an ODIC token using the oidc-agent and the same scopes. But > using curl https://login-dev.helmholtz.de/scim/Me -H "Authorization: > Basic $TOKEN", I got Bad Request and unity logs has a null pointer > exception (stacktrace is attached). Did I forgot to add some > configuration in addition? Using username/password on the SCIM API > works. > > Best regards, > Sander > > > On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote: >> Hi Sander, >> >> W dniu 20.12.2023 o 08:41, Sander Apweiler pisze: >>> Good morning, >>> while reading the manual once again, I found the error in our >>> schema >>> file. It works fine. >> >> good to hear that >> >> >>> Since only the administrators have username/password, we want to >>> enable >>> Oauth tokens for the SCIM API. Do we need to create an >>> authenticator >>> which is using unity itself for validating the tokens? >> >> Yes. It is not strictly required, but most likely this is what you >> want. >> >> Do not forget about granting proper authZ with OAuth scopes (as >> described in manual). >> >> Best, >> Krzysztof >> > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Dr. Bernd Schuller Large Scale Data Science, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
|
From: Sander A. <sa....@fz...> - 2023-12-21 13:24:32
Attachments:
smime.p7s
|
Hi Bernd, in this case I got missing HTTP Basic Auth Header errors. Best regards, Sander On Thu, 2023-12-21 at 14:19 +0100, Bernd Schuller wrote: > hi, > > I'm pretty sure that should be > > -H "Authorization: Bearer $TOKEN" > > best regards, > Bernd > > On 12/21/23 13:44, Sander Apweiler wrote: > > Hi Krzysztof, > > I created a new authenticator (OAuth 2 verifying local tokens) and > > added the scopes oidc profile email entitlements > > sys:scim:read_profile > > sys:scim:read_membership. I added this authenticator to the SCIM > > API as > > well. > > > > I generated an ODIC token using the oidc-agent and the same scopes. > > But > > using curl https://login-dev.helmholtz.de/scim/Me -H > > "Authorization: > > Basic $TOKEN", I got Bad Request and unity logs has a null pointer > > exception (stacktrace is attached). Did I forgot to add some > > configuration in addition? Using username/password on the SCIM API > > works. > > > > Best regards, > > Sander > > > > > > On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote: > > > Hi Sander, > > > > > > W dniu 20.12.2023 o 08:41, Sander Apweiler pisze: > > > > Good morning, > > > > while reading the manual once again, I found the error in our > > > > schema > > > > file. It works fine. > > > > > > good to hear that > > > > > > > > > > Since only the administrators have username/password, we want > > > > to > > > > enable > > > > Oauth tokens for the SCIM API. Do we need to create an > > > > authenticator > > > > which is using unity itself for validating the tokens? > > > > > > Yes. It is not strictly required, but most likely this is what > > > you > > > want. > > > > > > Do not forget about granting proper authZ with OAuth scopes (as > > > described in manual). > > > > > > Best, > > > Krzysztof > > > > > > > > > > > _______________________________________________ > > Unity-idm-discuss mailing list > > Uni...@li... > > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2024-01-02 10:29:09
|
Hi Sander, W dniu 21.12.2023 o 14:23, Sander Apweiler pisze: > Hi Bernd, > in this case I got missing HTTP Basic Auth Header errors. I just noticed that we miss one important aspect of authN in case of accessing SCIM with OAuth token in the docs: as it was requested, access using the OAuth token also requires client's authN. I.e. you need to provided 2 authorizations: both client's credential and the token. Naturally we can develop a simpler variant (configurable on the endpoint) but as of now this is the only option. We will improve the docs. So in order to authenticate you need to provided both Basic authN header (with OAuth client's credentials, the same as were used to obtain access token) and Bearer header with the OAuth access token. Hope that helps, and happy new year! Krzysztof |
|
From: Sander A. <sa....@fz...> - 2024-01-04 08:35:35
Attachments:
smime.p7s
|
Good morning Krzysztof, good morning Roman, happy new year, too! Yes this helps and should be no problem for our use-case. I need to adopt my testing case, only. Best regards, Sander On Tue, 2024-01-02 at 11:28 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 21.12.2023 o 14:23, Sander Apweiler pisze: > > Hi Bernd, > > in this case I got missing HTTP Basic Auth Header errors. > > I just noticed that we miss one important aspect of authN in case of > accessing SCIM with OAuth token in the docs: as it was requested, > access > using the OAuth token also requires client's authN. I.e. you need to > provided 2 authorizations: both client's credential and the token. > > Naturally we can develop a simpler variant (configurable on the > endpoint) but as of now this is the only option. We will improve the > docs. > > So in order to authenticate you need to provided both Basic authN > header > (with OAuth client's credentials, the same as were used to obtain > access > token) and Bearer header with the OAuth access token. > > Hope that helps, and happy new year! > Krzysztof > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X