Retrieve a token for authenticating to the API gateway.
The following are important properties of authentication tokens:
The API gateway uses OAuth2 for authentication. A token is required to authenticate with this gateway.
Some of the example commands pipe their output to
python -mjson.tool
. This is not required; it is simply used to format the output for readability.
Retrieve a token.
Retrieving a token depends on whether the request is based on a regular user (as defined directly in Keycloak or backed by LDAP) or a service account.
Resource owner password grant (user account)
In this case, the user account flow requires the username, password, and the client ID.
In the example below, replace myuser
, mypass
, and shasta
in the command with site-specific values. The shasta
client is created during the CSM install process.
ncn-mw# curl -s -d grant_type=password \
-d client_id=shasta \
-d username=myuser \
-d password=mypass \
https://api-gw-service-nmn.local/keycloak/realms/shasta/protocol/openid-connect/token |
python -mjson.tool
Example output:
{
"access_token": "ey...IA",
"expires_in": 300,
"not-before-policy": 0,
"refresh_expires_in": 1800,
"refresh_token": "ey...qg",
"scope": "profile email",
"session_state": "10c7d2f7-8921-4652-ad1e-10138ec6fbc3",
"token_type": "bearer"
}
Use the value of access_token
to make requests.
Client credentials (service account)
The client credentials flow requires a client ID and client secret.
There are a couple of ways to use a service account:
The client ID is admin-client
.
The client secret is generated during the install and put into a Kubernetes secret named admin-client-auth
.
Retrieve the client secret from this secret as follows:
ncn-mw# echo "$(kubectl get secrets admin-client-auth -ojsonpath='{.data.client-secret}' | base64 -d)"
Example output:
2b0d6df0-183b-40e6-93be-51c7854388a1
Given the client ID and secret, the user can retrieve a token by requesting one from Keycloak.
In the example below, replace the string being assigned to client_secret
with the actual client secret from the previous step.
ncn-mw# curl -s -d grant_type=client_credentials \
-d client_id=admin-client \
-d client_secret=2b0d6df0-183b-40e6-93be-51c7854388a1 \
https://api-gw-service-nmn.local/keycloak/realms/shasta/protocol/openid-connect/token |
python -mjson.tool
Expected output:
{
"access_token": "ey...DA"
"expires_in": 300,
"not-before-policy": 0,
"refresh_expires_in": 1800,
"refresh_token": "ey...kg",
"scope": "profile email",
"session_state": "ca8ab15c-2378-40c1-8063-7a522274fce0",
"token_type": "bearer"
}
Use the value of access_token
to make requests.
Present the token.
To present the access token on the request, put it in the Authorization
header on the request as a Bearer
token.
For example:
ncn# TOKEN=access_token
ncn# curl -H "Authorization: Bearer $TOKEN" https://api-gw-service-nmn.local/apis/capmc/capmc/get_node_rules
Example output:
{
"e":0,
"err_msg":"",
"latency_node_off":60,
"latency_node_on":120,
"latency_node_reinit":180,
"max_off_req_count":-1,
"max_off_time":-1,
"max_on_req_count":-1,
"max_reinit_req_count":-1,
"min_off_time":-1
}