Retrieve a token for authenticating to one of the API gateways, for the shasta realm.
The following are important properties of authentication tokens:
- Keycloak access tokens remain valid for 365 days.
- Secrets do not expire; they are persistent in Keycloak.
- Tokens and secrets can be revoked at any time by an administrator.
The API gateways use OAuth2 for authentication. A token is required to authenticate with one of the gateways.
There are multiple API gateways that are used to access services from the different networks.
services-gatewayaccessible atapi.nmnlb.SYSTEM_DOMAIN_NAMEorapi-gw-service-nmn.localcustomer-admin-gatewayaccessible atapi.cmn.SYSTEM_DOMAIN_NAMEcustomer-user-gatewayaccessible atapi.can.SYSTEM_DOMAIN_NAMEorapi.chn.SYSTEM_DOMAIN_NAME
The appropriate token must be retrieved from the gateway to access services on that gateway.
Some of the example commands pipe their output to
python -mjson.tool. This is not required; it is simply used to format the output for readability.
-
Retrieve a token.
Retrieving a token depends on whether the request is based on a regular user (as defined directly in Keycloak or backed by LDAP) or a service account.
-
Resource owner password grant (user account)
In this case, the user account flow requires the username, password, and the client ID.
In the example below, replace
myuser,mypass, andshastain the command with site-specific values. Theshastaclient is created during the CSM install process.curl -s -d grant_type=password \ -d client_id=shasta \ -d username=myuser \ -d password=mypass \ https://auth.cmn.SYSTEM_DOMAIN_NAME/keycloak/realms/shasta/protocol/openid-connect/token | python -mjson.toolExample output:
{ "access_token": "ey...IA", "expires_in": 300, "not-before-policy": 0, "refresh_expires_in": 1800, "refresh_token": "ey...qg", "scope": "profile email", "session_state": "10c7d2f7-8921-4652-ad1e-10138ec6fbc3", "token_type": "bearer" }Use the value of
access_tokento make requests. -
Client credentials (service account)
The client credentials flow requires a client ID and client secret.
There are a couple of ways to use a service account:
- By creating a new service account.
- By using the Keycloak client that was generated by the CSM installation process.
-
The client ID is
admin-client. -
The client secret is generated during the install and put into a Kubernetes secret named
admin-client-auth.(
ncn-mw#) Retrieve the client secret from this secret as follows:echo "$(kubectl get secrets admin-client-auth -ojsonpath='{.data.client-secret}' | base64 -d)"
Example output:
2b0d6df0-183b-40e6-93be-51c7854388a1 -
(
ncn-mw#) Given the client ID and secret, the user can retrieve a token by requesting one from Keycloak.In the example below, replace the string being assigned to
client_secretwith the actual client secret from the previous step.curl -s -d grant_type=client_credentials \ -d client_id=admin-client \ -d client_secret=2b0d6df0-183b-40e6-93be-51c7854388a1 \ https://auth.cmn.SYSTEM_DOMAIN_NAME/keycloak/realms/shasta/protocol/openid-connect/token | python -mjson.toolExpected output:
{ "access_token": "ey...DA" "expires_in": 300, "not-before-policy": 0, "refresh_expires_in": 1800, "refresh_token": "ey...kg", "scope": "profile email", "session_state": "ca8ab15c-2378-40c1-8063-7a522274fce0", "token_type": "bearer" }Use the value of
access_tokento make requests.
-
-
-
(
linux#) Present the token.To present the access token on the request, put it in the
Authorizationheader on the request as aBearertoken.For example:
TOKEN=access_token curl -k -H "Authorization: Bearer ${TOKEN}" https://api-gw-service-nmn.local/apis/smd/hsm/v2/service/readyExample output:
{"code":0,"message":"HSM is healthy"}