...
Code Block |
---|
#! /bin/bash # Step 1 export TOKEN=$(curl -s 'https://dev-apps.tis.nhs.uk/auth/realms/lin/protocol/openid-connect/token' \ -d "client_id=api-tokens&username=jamesh&password=j4m3srul3z&grant_type=password" | jq -r .access_token) # Step 2 - optional curl https://dev-apps.tis.nhs.uk/auth/realms/lin/protocol/openid-connect/token/introspect \ -d client_id=<client id> \ -d client_secret=<client secret> \ -d "token=${TOKEN}" \ | python -m json.tool # Step 3 curl -i -H "Authorization: bearer ${TOKEN}" \ https://dev-apps.tis.nhs.uk/api/revalidation/health |
NB for testing and debugging locally, use a token generated using:
curl -s 'https://dev-apps.tis.nhs.uk/auth/realms/lin/protocol/openid-connect/token' -d "client_id=api-tokens&username=jamesh&password=j4m3srul3z&grant_type=password" | jq -r .access_token
Or
curl -s 'http://localhost:8087/auth/realms/lin/protocol/openid-connect/token' -d "client_id=api-tokens&username=jamesh&password=j4m3srul3z&grant_type=password" | jq -r .access_token
Note: the client_id = api-tokens. This will bring back user roles etc
Use use a password grant to exchange a username and password for a JWT token. The response from this command will be a JSON document with the access token with it;
Code Block { "access_token": "<long string value>", "expires_in": 300, "id_token": "<long string value>", "not-before-policy": 0, "refresh_expires_in": 1800, "refresh_token": "<long string value>", "session_state": "<uuid>", "token_type": "bearer" }
- In this step, we show how the token is validated using a client id and secret. This step will be completed by mod_auth_openidc and is included for completeness.
In this step, we add the "Authorization: Bearer <access token>" header to our call. Apache will intercept the call, extract the JWT and validate it before forwarding the request to the target API.
Code Block GET /test/ HTTP/1.1 Host: dev-apps.tis.nhs.uk User-Agent: curl/7.49.1 Accept: */* Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrcEk5UC1hQ3JaTXJ4cG5aeWNnNnlISk9VZ3g0a2hUYS04TlJyMkRhY0g0In0.eyJqdGkiOiI4MTNhNzUzMS04NmIzLTRjOTgtODY4ZS01NzA5M2E4NDY2MmQiLCJleHAiOjE0ODA2MDkyNzQsIm5iZiI6MCwiaWF0IjoxNDgwNjA4OTc0LCJpc3MiOiJodHRwczovL2Rldi1hcHBzLmxpbi5uaHMudWsvYXV0aC9yZWFsbXMvbGluIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiNGY5YWRhY2MtZjEyNC00M2FmLTkyZDMtYjVlZDc3NjhlYTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZDM0M2ZiYmUtZjYxMS00YTg3LWE0ZTktODg0ODI0ZTYzN2VkIiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiODZkZTk0NTQtYmY1Ny00ZDM2LThjYjItOWU0ZjllMDA3MTQ2IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkphbWVzIEh1ZHNvbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImphbWVzaCIsImdpdmVuX25hbWUiOiJKYW1lcyIsImZhbWlseV9uYW1lIjoiSHVkc29uIn0.F_wFf1T_kEdcZDlG_H45lk5uukN26trTsPHcko-RF7Zk9VXLjPX6HcExASUmxMqMTBRrbYuLDDPWGZ7OoKHIp-bG-3wR3XqGDTVgQ-DbzarAtEDKsNbAzReh008uo_U3j9biwKHcWNOAFuSde5ZUma5qWS6jvpV750lwCb7WU8xikci9lD_WK6xW_H1B_KW8WJ4SpoH7qNI1OITFtMOQBx06z2q-DQVc_3bISwDKx-sFj6MFOr-0OcXz935H1OJICFYjljquY5q-6ZkB0bwVKVpOKd22q7cnAT50bzAbXCQifja0Jr9qVUytq79QxEDeGeAo40WzPO_a7PPTkfvHdw OIDC_CLAIM_name: James Hudson OIDC_CLAIM_allowed-origins: OIDC_CLAIM_typ: Bearer OIDC_CLAIM_azp: admin-cli OIDC_CLAIM_jti: 813a7531-86b3-4c98-868e-57093a84662d OIDC_CLAIM_sub: 4f9adacc-f124-43af-92d3-b5ed7768ea54 OIDC_CLAIM_nbf: 0 OIDC_CLAIM_auth_time: 0 OIDC_CLAIM_session_state: d343fbbe-f611-4a87-a4e9-884824e637ed OIDC_CLAIM_exp: 1480609274 OIDC_CLAIM_client_session: 86de9454-bf57-4d36-8cb2-9e4f9e007146 OIDC_CLAIM_iat: 1480608974 OIDC_CLAIM_iss: https://dev-apps.tis.nhs.uk/auth/realms/lin OIDC_CLAIM_aud: admin-cli OIDC_CLAIM_given_name: James OIDC_CLAIM_family_name: Hudson OIDC_CLAIM_acr: 1 OIDC_CLAIM_preferred_username: jamesh OIDC_CLAIM_username: jamesh OIDC_CLAIM_resource_access: {} OIDC_CLAIM_client_id: admin-cli OIDC_CLAIM_active: 1 OIDC_access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrcEk5UC1hQ3JaTXJ4cG5aeWNnNnlISk9VZ3g0a2hUYS04TlJyMkRhY0g0In0.eyJqdGkiOiI4MTNhNzUzMS04NmIzLTRjOTgtODY4ZS01NzA5M2E4NDY2MmQiLCJleHAiOjE0ODA2MDkyNzQsIm5iZiI6MCwiaWF0IjoxNDgwNjA4OTc0LCJpc3MiOiJodHRwczovL2Rldi1hcHBzLmxpbi5uaHMudWsvYXV0aC9yZWFsbXMvbGluIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiNGY5YWRhY2MtZjEyNC00M2FmLTkyZDMtYjVlZDc3NjhlYTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZDM0M2ZiYmUtZjYxMS00YTg3LWE0ZTktODg0ODI0ZTYzN2VkIiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiODZkZTk0NTQtYmY1Ny00ZDM2LThjYjItOWU0ZjllMDA3MTQ2IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkphbWVzIEh1ZHNvbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImphbWVzaCIsImdpdmVuX25hbWUiOiJKYW1lcyIsImZhbWlseV9uYW1lIjoiSHVkc29uIn0.F_wFf1T_kEdcZDlG_H45lk5uukN26trTsPHcko-RF7Zk9VXLjPX6HcExASUmxMqMTBRrbYuLDDPWGZ7OoKHIp-bG-3wR3XqGDTVgQ-DbzarAtEDKsNbAzReh008uo_U3j9biwKHcWNOAFuSde5ZUma5qWS6jvpV750lwCb7WU8xikci9lD_WK6xW_H1B_KW8WJ4SpoH7qNI1OITFtMOQBx06z2q-DQVc_3bISwDKx-sFj6MFOr-0OcXz935H1OJICFYjljquY5q-6ZkB0bwVKVpOKd22q7cnAT50bzAbXCQifja0Jr9qVUytq79QxEDeGeAo40WzPO_a7PPTkfvHdw X-Forwarded-Proto: https X-Forwarded-For: 89.16.226.104 X-Forwarded-Host: dev-apps.tis.nhs.uk X-Forwarded-Server: dev-apps.tis.nhs.uk Connection: Keep-Alive
...