How to interact with Helmholtz ID via oidc-agent¶
oidc-agent is a set of tools to manage OpenID Connect tokens and make
them easily usable from the command line.
Installing the agent¶
For installing the agent follow the instructions on the website of oidc-agent:
https://indigo-dc.gitbook.io/oidc-agent/intro
A growing number of Linux distributions have oidc-agent already in their
repository. If you use one of these distributions you may want to use the
packaged version.
Create a Configuration for Helmholtz ID¶
oidc-agent comes with a number of pre-configured public client configurations.
There is also a public client for Helmholtz ID which makes configuration easy.
- In order to start the configuration process:
oidc-gen --pub <shortname> - Enter
https://login.helmholtz.de/oauth2/as issuer or select the corresponding number from the presented list. - Select the scopes you want to access or accept the preconfigured list.
- Enter the desired redirection URLs (you have to add at least one - if
you only plan to use the CLI agent, this doesn’t really matter, so you
can use e.g.
http://localhost:8080; If you use the pre-configured client, you must use this redirect URL.) - Important: Login with your home IdP in the browser window which opens. This step is necessary to complete the account configuration.
- As a final step, add a password for the generated configuration. You
will need this password every time, you add the configuration to
oidc-agentso note down your passphrase carefully - Start
oidc-agentand set the necessary environment variables witheval `oidc-agent` - Check if your configuration works with
oidc-token <short name of your configuration>
Nota bene
- If you are configuring the
oidc-agenton a computer without an XSession (e.g. on a machine where you are logged in with puressh, you will need to use the commandoidc-gen --pub --no-url-call --no-webserver <shortname>. The agent will then print out a URL you can copy into a browser of your choice, log in as usual and you will get a message “Page not found”. Copy the URL in the URL-bar of the browser and follow the instructions given byoidc-agentin yourssh-session before. - If you are logged into a machine via
sshand the$DISPLAYenvironment variable is not set,oidc-agentwill assume that you are on a “dumb” device and invoke an authorization flow that is deactivated in the Helmholtz AAI. Your configuration attempt will fail unless you setexport DISPLAY=0:assuming you are on a Linux machine.
Using oidc-agent¶
After configuring oidc-agent and logging in, you can now start using it.
oidc-token <short name of your configuration> is going to give you a token
in your command client, which can be used for further action, for example
using the API of an service, which authenticates users via Helmholtz ID.
For further information, please read the manual.
Accessing user information¶
You can, for example, request your users information with curl:
curl -H "Authorization: Bearer `oidc-token <short name of your configuration>`" -X GET https://login.helmholtz.de/oauth2/userinfo
If you want to have a nice, readable output, you can format the result with jq (you will probably have to install jq before that):
curl -H "Authorization: Bearer `oidc-token <short name of your configuration>`" -X GET https://login.helmholtz.de/oauth2/userinfo | jq .
This should give you something like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | |
Need help?¶
Contact us if you need help.