Skip to content

Managing applications for other users with the API

The Authorization Service API supports the special use-case of a service account managing applications on behalf of other users. The users will be able to modify their application details or delete them, but the SSO registrations are only changeable by the manager identity.

Using the API endpoints

In order to create such an application, the managerId field needs to be specified in the JSON payload when creating applications. The endpoint is the regular application creation one: /api/v1.0/Application/. An example payload would look like this:

{
  "applicationIdentifier": "webframeworks-test1-myapps_name23",
  "description": "this is a sample",
  "displayName": "Web frameworks site myapps_name23 (test1)",
  "homePage": "https://example.cern.ch",
  "managerId": "08d81781-f230-4d7f-8cc9-15fb9226a78b",
  "ownerId": "79dc4216-83a0-4c7f-86ac-3f04e1f74c05"
}

There are several constraints to the endpoint:

  • the managerId must be the ID of the caller's Identity in the Authorization Service, anything else is not allowed. The caller/manager must be an Application or Service Identity.
  • the ownerId must be specified, and it must be the Primary Identity of a person or a Service Identity. The ownerId cannot be the managerId.
  • the application identity must belong to the group authorization-service-applications-managers, see the Overview page for defined permissions.

The following example may be helpful for getting started.

import requests
import sys
import json
from getpass import getpass

keycloak_api_token_endpoint = "https://keycloak-qa.cern.ch/auth/realms/cern/api-access/token"
authzsvc_endpoint = "https://authorization-service-api-qa.web.cern.ch/api/v1.0/"

# Your OIDC client must :
# - have Client Credentials enabled
# - be in group authorization-service-applications-managers
client_id = "my_client"
client_secret = "my_secret"

################### Get your API token #####################

token_resp = requests.post(
    keycloak_api_token_endpoint,
    data={
        "grant_type": "client_credentials",
        "client_id": client_id,
        "client_secret": client_secret,
        "audience" : "authorization-service-api"
    },
    headers={"Content-Type": "application/x-www-form-urlencoded"},
)
api_token = token_resp.json()['access_token']

################### Get the internal ID for your client #####################

me = requests.get(
    "{}Identity/current".format(authzsvc_endpoint),
    headers={"Authorization": "Bearer {}".format(api_token)},
)
my_id = me.json()["data"]["id"]

################### Create a managed application #####################

new_app = requests.post(
    "{}Application".format(authzsvc_endpoint),
    headers={
    "Authorization": "Bearer {}".format(api_token),
    },
    json={
      "applicationIdentifier": "webframeworks-test1-myapps_name23",
      "description": "this is a sample",
      "displayName": "Web frameworks site myapps_name23 (test1)",
      "homePage": "https://example.cern.ch",
      "managerId": my_id, # Managed by the caller
      "ownerId": "79dc4216-83a0-4c7f-86ac-3f04e1f74c05" # Owned by a Person or Service
    }
)

Permissions for managed applications

Owners and administrators can:

  • Define roles for the application, map roles to groups.
  • Change owner of the application (with approval from new owner).
  • Change the administrators group.
  • Delete the application.
  • Modify the homepage, description, and display name.

Managers can:

  • All of the Owners and administrators actions.
  • Modify SSO registrations for the application (OIDC or SAML).