Managing applications for other users with the API
The Authorization Service API supports the special use-case of a service account managing applications on behalf of other users. The users will be able to modify their application details or delete them, but the SSO registrations are only changeable by the manager
identity.
Using the API endpoints
In order to create such an application, the managerId
field needs to be specified in the JSON payload when creating applications. The endpoint is the regular application creation one: /api/v1.0/Application/
. An example payload would look like this:
{
"applicationIdentifier": "webframeworks-test1-myapps_name23",
"description": "this is a sample",
"displayName": "Web frameworks site myapps_name23 (test1)",
"homePage": "https://example.cern.ch",
"managerId": "08d81781-f230-4d7f-8cc9-15fb9226a78b",
"ownerId": "79dc4216-83a0-4c7f-86ac-3f04e1f74c05"
}
There are several constraints to the endpoint:
- the
managerId
must be the ID of the caller's Identity in the Authorization Service, anything else is not allowed. The caller/manager must be an Application or Service Identity. - the
ownerId
must be specified, and it must be the Primary Identity of a person or a Service Identity. TheownerId
cannot be themanagerId
. - the application identity must belong to the group
authorization-service-applications-managers
, see the Overview page for defined permissions.
The following example may be helpful for getting started.
import requests
import sys
import json
from getpass import getpass
keycloak_api_token_endpoint = "https://keycloak-qa.cern.ch/auth/realms/cern/api-access/token"
authzsvc_endpoint = "https://authorization-service-api-qa.web.cern.ch/api/v1.0/"
# Your OIDC client must :
# - have Client Credentials enabled
# - be in group authorization-service-applications-managers
client_id = "my_client"
client_secret = "my_secret"
################### Get your API token #####################
token_resp = requests.post(
keycloak_api_token_endpoint,
data={
"grant_type": "client_credentials",
"client_id": client_id,
"client_secret": client_secret,
"audience" : "authorization-service-api"
},
headers={"Content-Type": "application/x-www-form-urlencoded"},
)
api_token = token_resp.json()['access_token']
################### Get the internal ID for your client #####################
me = requests.get(
"{}Identity/current".format(authzsvc_endpoint),
headers={"Authorization": "Bearer {}".format(api_token)},
)
my_id = me.json()["data"]["id"]
################### Create a managed application #####################
new_app = requests.post(
"{}Application".format(authzsvc_endpoint),
headers={
"Authorization": "Bearer {}".format(api_token),
},
json={
"applicationIdentifier": "webframeworks-test1-myapps_name23",
"description": "this is a sample",
"displayName": "Web frameworks site myapps_name23 (test1)",
"homePage": "https://example.cern.ch",
"managerId": my_id, # Managed by the caller
"ownerId": "79dc4216-83a0-4c7f-86ac-3f04e1f74c05" # Owned by a Person or Service
}
)
Permissions for managed applications
Owners and administrators can:
- Define roles for the application, map roles to groups.
- Change owner of the application (with approval from new owner).
- Change the administrators group.
- Delete the application.
- Modify the homepage, description, and display name.
Managers can:
- All of the
Owners and administrators
actions. - Modify SSO registrations for the application (OIDC or SAML).