Skip to content

Authorization Service API Examples

The following are simple python examples of how to call the API. This is a non-exhaustive list. All endpoints can be found on the Authorization Service API Swagger Interface

Applications can be added to groups through the Application Portal on the Group Memberships Tab, or via a SNOW ticket.

group-membership

Get an API token

import requests
import json
keycloak_api_token_endpoint = "https://keycloak-dev.cern.ch/auth/realms/cern/api-access/token"

token_resp = requests.post(
    keycloak_api_token_endpoint,
    data={
        "grant_type": "client_credentials",
        "client_id": "MY_CLIENT",
        "client_secret": "MY_SECRET",
        "audience" : "authorization-service-api"
    },
    headers={"Content-Type": "application/x-www-form-urlencoded"},
)

api_token = token_resp.json()['access_token']

Get the Identity object of the caller

authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"

me = requests.get(
    "{}Identity/current".format(authzsvc_endpoint),
    headers={"Authorization": "Bearer {}".format(api_token)},
)

my_id = me.json()["data"]["id"]

Update an application

Pre-requisites: The client used to request the token must

  • Be a member of the administrator group for the application
  • Be a member of authorization-service-applications-users
authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"
application_id = "08d9421f-1b3f-4785-8889-5034fa343418"

new_role = requests.post(
    "{0}Application/{1}/roles".format(authzsvc_endpoint, application_id),
    headers={"Authorization": "Bearer {}".format(api_token)},
    json={
      "name": f"testrole",
      "displayName": f"test role",
      "description": "testing role creation",
      "required": False,
      "multifactor": False,
      "applyToAllUsers": False,
      "minimumLoaId" : "f0000000-0000-0000-0000-0000000000b4",
      "applicationId": application_id
    }
)

Get group memberships

Pre-requisites: The client used to request the token must

  • Be a member of the administrator group of the group to be queried

OR

  • Be a member of authorization-service-groups-readers
authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"
my_group = "testgroup"

my_group_members = requests.get(
    "{0}Group/{1}/memberidentities".format(authzsvc_endpoint, my_group),
    headers={
    "Authorization": "Bearer {}".format(api_token),
    }
)

Add external members to a group

Pre-requisites: The client used to request the token must

  • Be a member of the administrator group of the group to be updated
email="test77@example.com"
authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"
my_group = "testgroup"

my_group_new_member = requests.post(
    "{0}Group/{1}/memberidentities/external?emails={2}".format(authzsvc_endpoint, my_group, email),
    headers={
    "Authorization": "Bearer {}".format(api_token),
    }
)

Get user information

Note: This endpoint may be used as an alternative to the legacy endpoint http://winservices-soap.web.cern.ch/winservices-soap/TSCSE/Authentication.asmx/GetUserLongInfo

Pre-requisites: The client used to request the token must

  • Be a member of authorization-service-identity-readers
identity = "mcurie"
authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"

identities = requests.get(
    "{0}Identity/{1}".format(authzsvc_endpoint, identity),
    headers={"Authorization": "Bearer {}".format(api_token)},
    verify=False
)

You will get a response containing a data object as follows:

json { "externalEmail":"None", "primaryAccountEmail":"None", "type":"Person", "upn":"mcurie", "displayName":"Marie Curie", "personId":"77777", "supervisorId":"1111-1111-1111-1111-1111", "source":"cern", "unconfirmed":false, "unconfirmedEmail":"None", "primaryAccountId":"1111-1111-1111-1111-1111", "uid":82828, "gid":2727, "resourceCategory":"Personal", "reassignable":false, "autoReassign":false, "pendingAction":false, "blocked":false, "securityIssues":false, "blockingReason":"None", "blockingTime":"None", "blockingDeadline":"None", "expirationDeadline":"None", "ownerId":"None", "id":"1111-1111-1111-1111-1111", "room":"111", "floor":"1", "orcid":"0000-0003-2187-0980", "building":"11", "lastName":"Curie", "cernGroup":"XX", "firstName":"Marie", "telephone1":"66666", "cernSection":"XXX", "description":"CERN - XX/XX", "instituteName":"CERN", "portablePhone":"111111", "cernDepartment":"XX", "instituteAbbreviation":"CERN", "preferredCernLanguage":"EN" }