Skip to content
Snippets Groups Projects

Authentication & Authorization

Last edited by John Swinbank

Currently the ESAP Gateway uses mozilla_django_oidc as authentication app to connect to ESCAPE IAM. This requires a file with information regarding client ID and client secret on your host. If you don't need use the authentication and authorization part of ESAP for the moment, you can set the environment variable OIDC_RP_CLIENT_ID and OIDC_RP_CLIENT_SECRET with any random value, e.g. copy the file as it is below.

/$HOME/shared/oidc.env


    OIDC_RP_CLIENT_ID="<your-client-id>"
    OIDC_RP_CLIENT_SECRET="<your-client-secret>"
    OIDC_OP_JWKS_ENDPOINT=https://iam-escape.cloud.cnaf.infn.it/jwk
    OIDC_OP_AUTHORIZATION_ENDPOINT=https://iam-escape.cloud.cnaf.infn.it/authorize
    OIDC_OP_TOKEN_ENDPOINT=https://iam-escape.cloud.cnaf.infn.it/token
    OIDC_OP_USER_ENDPOINT=https://iam-escape.cloud.cnaf.infn.it/userinfo
    LOGIN_REDIRECT_URL=https://sdc-dev.astron.nl/esap-gui/login
    LOGOUT_REDIRECT_URL=https://sdc-dev.astron.nl/esap-gui/logout
    LOGIN_REDIRECT_URL_FAILURE=https://sdc-dev.astron.nl/esap-gui/error

/$HOME/shared/esap.env

    RUCIO_AUTH_TOKEN=fake-rucio-auth-token
    RUCIO_HOST=https://escape-rucio.cern.ch
    RUCIO_PORT=32300
    RUCIO_AUTH_PORT=32301

If you want to deploy ESAP API Gateway with working AAI, please register at ESCAPE IAM (https://iam-escape.cloud.cnaf.infn.it/).

For client registration with ESCAPE IAM, please visit https://indigo-iam.github.io/docs/v/current/user-guide/client-registration.html for documentation. The redirect URIs should be

"http://127.0.0.1:8000/oidc/callback/"
"http://localhost:8000/oidc/callback/"
"http://localhost:8000/oidc/callback/"
"https://sdc.astron.nl:5555/esap-api/oidc/callback/"
"http://127.0.0.1:5555/esap-api/oidc/callback/"

ESAP_OIDC_AAI.svg

Using tokens from external applications

It's possible to access the secured routes in ESAP from external applications using tokens. For this to work, you need to make sure that the tokens contains the following:

  • The JWT token should have an aud (audience) claim with rucio as content
  • The JWT token should have an scopes with at least openid email profile as content.

These are the default values, if these do not work, check the ESAP configuration:

OIDC_AUTH_REQUEST_EXTRA_PARAMS = {'audience':'rucio'}
OIDC_RP_SCOPES = "openid email profile"

Comments

    Please register or sign in to add a comment.