Retrieve a token for authenticating to one of the API gateways, for the shasta realm.
The following are important properties of authentication tokens:
The API gateways use OAuth2 for authentication. A token is required to authenticate with one of the gateways.
There are multiple API gateways that are used to access services from the different networks.
services-gateway accessible at api.nmnlb.SYSTEM_DOMAIN_NAME or api-gw-service-nmn.localcustomer-admin-gateway accessible at api.cmn.SYSTEM_DOMAIN_NAMEcustomer-user-gateway accessible at api.can.SYSTEM_DOMAIN_NAME or api.chn.SYSTEM_DOMAIN_NAMEThe appropriate token must be retrieved from the gateway to access services on that gateway.
Some of the example commands pipe their output to
python -mjson.tool. This is not required; it is simply used to format the output for readability.
Retrieve a token.
Retrieving a token depends on whether the request is based on a regular user (as defined directly in Keycloak or backed by LDAP) or a service account.
Resource owner password grant (user account)
In this case, the user account flow requires the username, password, and the client ID.
In the example below, replace myuser, mypass, and shasta in the command with site-specific values. The shasta client is created during the CSM install process.
curl -s -d grant_type=password \
-d client_id=shasta \
-d username=myuser \
-d password=mypass \
https://auth.cmn.SYSTEM_DOMAIN_NAME/keycloak/realms/shasta/protocol/openid-connect/token |
python -mjson.tool
Example output:
{
"access_token": "ey...IA",
"expires_in": 300,
"not-before-policy": 0,
"refresh_expires_in": 1800,
"refresh_token": "ey...qg",
"scope": "profile email",
"session_state": "10c7d2f7-8921-4652-ad1e-10138ec6fbc3",
"token_type": "bearer"
}
Use the value of access_token to make requests.
Client credentials (service account)
The client credentials flow requires a client ID and client secret.
There are a couple of ways to use a service account:
The client ID is admin-client.
The client secret is generated during the install and put into a Kubernetes secret named admin-client-auth.
(ncn-mw#) Retrieve the client secret from this secret as follows:
echo "$(kubectl get secrets admin-client-auth -ojsonpath='{.data.client-secret}' | base64 -d)"
Example output:
2b0d6df0-183b-40e6-93be-51c7854388a1
(ncn-mw#) Given the client ID and secret, the user can retrieve a token by requesting one from Keycloak.
In the example below, replace the string being assigned to client_secret with the actual client secret from the previous step.
curl -s -d grant_type=client_credentials \
-d client_id=admin-client \
-d client_secret=2b0d6df0-183b-40e6-93be-51c7854388a1 \
https://auth.cmn.SYSTEM_DOMAIN_NAME/keycloak/realms/shasta/protocol/openid-connect/token |
python -mjson.tool
Expected output:
{
"access_token": "ey...DA"
"expires_in": 300,
"not-before-policy": 0,
"refresh_expires_in": 1800,
"refresh_token": "ey...kg",
"scope": "profile email",
"session_state": "ca8ab15c-2378-40c1-8063-7a522274fce0",
"token_type": "bearer"
}
Use the value of access_token to make requests.
(linux#) Present the token.
To present the access token on the request, put it in the Authorization header on the request as a Bearer token.
For example:
TOKEN=access_token
curl -k -H "Authorization: Bearer ${TOKEN}" https://api-gw-service-nmn.local/apis/smd/hsm/v2/service/ready
Example output:
{"code":0,"message":"HSM is healthy"}