Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
#! /bin/bash

# Step 1
export TOKEN=$(curl -s 'https://dev-apps.tis.nhs.uk/auth/realms/lin/protocol/openid-connect/token' \
  -d "client_id=api-tokens&username=jamesh&password=j4m3srul3z&grant_type=password" | jq -r .access_token)

# Step 2 - optional
curl https://dev-apps.tis.nhs.uk/auth/realms/lin/protocol/openid-connect/token/introspect \
	-d client_id=<client id> \
	-d client_secret=<client secret> \
	-d "token=${TOKEN}" \
	| python -m json.tool

# Step 3
curl -i -H "Authorization: bearer ${TOKEN}" \
 	https://dev-apps.tis.nhs.uk/api/revalidation/health 

NB for testing and debugging locally, use a token generated using:

curl -s 'https://dev-apps.tis.nhs.uk/auth/realms/lin/protocol/openid-connect/token'  -d "client_id=api-tokens&username=jamesh&password=j4m3srul3z&grant_type=password" | jq -r .access_token

Or

curl -s 'http://localhost:8087/auth/realms/lin/protocol/openid-connect/token' -d "client_id=api-tokens&username=jamesh&password=j4m3srul3z&grant_type=password" | jq -r .access_token

Note: the client_id = api-tokens. This will bring back user roles etc

  1. Use use a password grant to exchange a username and password for a JWT token. The response from this command will be a JSON document with the access token with it;

    Code Block
    {
        "access_token": "<long string value>",
        "expires_in": 300,
        "id_token": "<long string value>",
        "not-before-policy": 0,
        "refresh_expires_in": 1800,
        "refresh_token": "<long string value>",
        "session_state": "<uuid>",
        "token_type": "bearer"
    }


  2. In this step, we show how the token is validated using a client id and secret. This step will be completed by mod_auth_openidc and is included for completeness.
  3. In this step, we add the "Authorization: Bearer <access token>" header to our call. Apache will intercept the call, extract the JWT and validate it before forwarding the request to the target API. 

    Code Block
    GET /test/ HTTP/1.1
    Host: dev-apps.tis.nhs.uk
    User-Agent: curl/7.49.1
    Accept: */*
    Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrcEk5UC1hQ3JaTXJ4cG5aeWNnNnlISk9VZ3g0a2hUYS04TlJyMkRhY0g0In0.eyJqdGkiOiI4MTNhNzUzMS04NmIzLTRjOTgtODY4ZS01NzA5M2E4NDY2MmQiLCJleHAiOjE0ODA2MDkyNzQsIm5iZiI6MCwiaWF0IjoxNDgwNjA4OTc0LCJpc3MiOiJodHRwczovL2Rldi1hcHBzLmxpbi5uaHMudWsvYXV0aC9yZWFsbXMvbGluIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiNGY5YWRhY2MtZjEyNC00M2FmLTkyZDMtYjVlZDc3NjhlYTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZDM0M2ZiYmUtZjYxMS00YTg3LWE0ZTktODg0ODI0ZTYzN2VkIiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiODZkZTk0NTQtYmY1Ny00ZDM2LThjYjItOWU0ZjllMDA3MTQ2IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkphbWVzIEh1ZHNvbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImphbWVzaCIsImdpdmVuX25hbWUiOiJKYW1lcyIsImZhbWlseV9uYW1lIjoiSHVkc29uIn0.F_wFf1T_kEdcZDlG_H45lk5uukN26trTsPHcko-RF7Zk9VXLjPX6HcExASUmxMqMTBRrbYuLDDPWGZ7OoKHIp-bG-3wR3XqGDTVgQ-DbzarAtEDKsNbAzReh008uo_U3j9biwKHcWNOAFuSde5ZUma5qWS6jvpV750lwCb7WU8xikci9lD_WK6xW_H1B_KW8WJ4SpoH7qNI1OITFtMOQBx06z2q-DQVc_3bISwDKx-sFj6MFOr-0OcXz935H1OJICFYjljquY5q-6ZkB0bwVKVpOKd22q7cnAT50bzAbXCQifja0Jr9qVUytq79QxEDeGeAo40WzPO_a7PPTkfvHdw
    OIDC_CLAIM_name: James Hudson
    OIDC_CLAIM_allowed-origins: 
    OIDC_CLAIM_typ: Bearer
    OIDC_CLAIM_azp: admin-cli
    OIDC_CLAIM_jti: 813a7531-86b3-4c98-868e-57093a84662d
    OIDC_CLAIM_sub: 4f9adacc-f124-43af-92d3-b5ed7768ea54
    OIDC_CLAIM_nbf: 0
    OIDC_CLAIM_auth_time: 0
    OIDC_CLAIM_session_state: d343fbbe-f611-4a87-a4e9-884824e637ed
    OIDC_CLAIM_exp: 1480609274
    OIDC_CLAIM_client_session: 86de9454-bf57-4d36-8cb2-9e4f9e007146
    OIDC_CLAIM_iat: 1480608974
    OIDC_CLAIM_iss: https://dev-apps.tis.nhs.uk/auth/realms/lin
    OIDC_CLAIM_aud: admin-cli
    OIDC_CLAIM_given_name: James
    OIDC_CLAIM_family_name: Hudson
    OIDC_CLAIM_acr: 1
    OIDC_CLAIM_preferred_username: jamesh
    OIDC_CLAIM_username: jamesh
    OIDC_CLAIM_resource_access: {}
    OIDC_CLAIM_client_id: admin-cli
    OIDC_CLAIM_active: 1
    OIDC_access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrcEk5UC1hQ3JaTXJ4cG5aeWNnNnlISk9VZ3g0a2hUYS04TlJyMkRhY0g0In0.eyJqdGkiOiI4MTNhNzUzMS04NmIzLTRjOTgtODY4ZS01NzA5M2E4NDY2MmQiLCJleHAiOjE0ODA2MDkyNzQsIm5iZiI6MCwiaWF0IjoxNDgwNjA4OTc0LCJpc3MiOiJodHRwczovL2Rldi1hcHBzLmxpbi5uaHMudWsvYXV0aC9yZWFsbXMvbGluIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiNGY5YWRhY2MtZjEyNC00M2FmLTkyZDMtYjVlZDc3NjhlYTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZDM0M2ZiYmUtZjYxMS00YTg3LWE0ZTktODg0ODI0ZTYzN2VkIiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiODZkZTk0NTQtYmY1Ny00ZDM2LThjYjItOWU0ZjllMDA3MTQ2IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkphbWVzIEh1ZHNvbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImphbWVzaCIsImdpdmVuX25hbWUiOiJKYW1lcyIsImZhbWlseV9uYW1lIjoiSHVkc29uIn0.F_wFf1T_kEdcZDlG_H45lk5uukN26trTsPHcko-RF7Zk9VXLjPX6HcExASUmxMqMTBRrbYuLDDPWGZ7OoKHIp-bG-3wR3XqGDTVgQ-DbzarAtEDKsNbAzReh008uo_U3j9biwKHcWNOAFuSde5ZUma5qWS6jvpV750lwCb7WU8xikci9lD_WK6xW_H1B_KW8WJ4SpoH7qNI1OITFtMOQBx06z2q-DQVc_3bISwDKx-sFj6MFOr-0OcXz935H1OJICFYjljquY5q-6ZkB0bwVKVpOKd22q7cnAT50bzAbXCQifja0Jr9qVUytq79QxEDeGeAo40WzPO_a7PPTkfvHdw
    X-Forwarded-Proto: https
    X-Forwarded-For: 89.16.226.104
    X-Forwarded-Host: dev-apps.tis.nhs.uk
    X-Forwarded-Server: dev-apps.tis.nhs.uk
    Connection: Keep-Alive


...