Federating via OAuth

The Fed4FIRE+ portal is a standards-compliant OAuth2 and OpenID Connect provider. It allows Clients (also known as Relying Parties) to verify the identity of the End-User, as well as to obtain basic profile information about the End-User in a REST-like manner.

OpenID Connect extends OAuth 2.0. The OAuth2.0 protocol provides API security via scoped access tokens, and OpenID Connect provieds user authentication and single sign-on (SSO) functionality.

The Fed4FIRE+ portal provides all OpenID Connect metadata via https://portal.fed4fire.eu/.well-known/openid-configuration.

The access_token and id_token returned by the OIDC login flow are JWT tokens containing information on the end user. The JWKS containing the keys to verify these tokens can also be retrieved via the metadata linked above.

Registering your service as an OAuth Client

Please email contact@fed4fire.eu with the following information on your service:

  • Service Name
  • Service URL
  • One or more redirect URI’s: valid callback locations where the authorization code or tokens should be sent to. (Tip: also include any redirect URI’s that you want to use for your test and/or staging environments.)
  • Token endpoint auth method: either client_secret_basic or client_secret_post are supported.

We will then register your service in the portal and provide you with a client_id and client_secret to use.

Familiarizing yourself with the authentication workflow

If you want to familiarize yourself with the OIDC workflow, you can use either the Open ID Connect Playground or Hoppscotch.

Note that the provided Client ID and Client Secret only have https://openidconnect.net/callback and https://hoppscotch.io as a registered redirect URI. They can thus only be used on these websites.

OpenID Connect Playground

  1. Click on the ‘Configuration’ button
  2. Select Server Template ‘Custom’
  3. Use Discovery Document URL https://portal.fed4fire.eu/.well-known/openid-configuration
  4. Set the OIDC Client ID to zjscm8rJBH7j96y5sUeVF5sv and OIDC Client Secret to PEesNzJRtjXLoGlL0XVFWDFRmAIHrywB3fRh6EKebBHKepZV
  5. Set Scope to openid userinfo
  6. Save the configuration

You can now perform the full authentication flow:

  • Redirect to OpenID Connect Server
  • Exchange Code from Token
  • Verify User Token

Hoppscotch

Download the Fed4FIRE Portal Hoppscotch collection with the example userinfo request.

On hoppscotch.io:

  1. Load the Collection via ‘My Collections’ -> ‘Import/Export’ -> ‘Import from Hoppscotch’
  2. Open the ‘Userinfo request’ in this collection
  3. In the tab Authorization, scroll down and click on ‘Generate token’ to perform the OIDC login flow
  4. Now you can execute the request itself, which will pass on the retrieved access_token in the Authorization header when querying https://portal.fed4fire.eu/api/userinfo.
../_images/hoppscotch.png

Loading the Hoppscotch collection and performing the authorization workflow.

../_images/userinfo-request_censored.jpg

The result of the Userinfo request