Make sure you have Serpense ID client library available.
Here is a sample code block to configure box Server. The assumption is that you aleady have registered a client and you have client id and secret from the Serpense ID service. Also, make sure you have the reference of the Serpense Client library.
Add the following code to make the reference of the Serpense Client library.
#MAGEN CLIENT LIBRARY START
from magen_id_client.lib.magen_client import SerpenseClient
#MAGEN CLIENT LIBRARY END
1. At first you need to create connected_app as follows:
###### MAGEN ID Related Code START #########
magen_client = SerpenseClient(boxServer)
issuer='https://ids.clus16-magen.com'
#issuer='https://ec2-54-197-228-163.compute-1.amazonaws.com'
#issuer='https://localhost:5229'
client_id = 'RnMgyXCfK5d6G5vdwEIO44HCULMf1JUGpTlahH5x5SJ86O7zNbPiVNHvL7iA'
client_secret = 'q5zMIuwOiWWV97UufiRXdjFOhbWhNx'
alg='HS256'
request_token_params = {'scope': 'email,profile'}
scopes='openid,profile,address'
connected_app = magen_client.register_client_app(
'box_magen_agent',
issuer=issuer,
client_id=client_id,
client_secret=client_secret,
# callback_uri="https://anntest.clus16-magen.com:5002/oauth/callback",
callback_uri="https://mlipmandev.clus16-magen.com/oauth/callback",
)
2. Make a authorize call as follows:
connected_app.setRedirectUri("https://mlipmandev.clus16-magen.com/oauth/callback")
return connected_app.authorize(username=login_username, access_token=access_token)
This call will return a payload of json data with magen_id_token
{
"access_token": "81330b1000894573a0c02b42a4a763b4",
"expires_in": 3600,
"magen_client_id": "985a69866e8149cbd3fb76a2bff567a6",
"magen_id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtaWNob3dkaEBjaXNjby5jb20iLCJhdXRoX3RpbWUiOjE0NzMyODQ4NDEsImF1ZCI6InlPaEZMRW0xVGRWdzFwdFh3UjZUcjZabmR1dlR0YjlqTDE3TVZGNlhkS2VXN3BJY0NiUEdaZVhNeWNOVyIsImlzcyI6Imh0dHBzOi8vZWMyLTU0LTE5Ny0yMjgtMTYzLmNvbXB1dGUtMS5hbWF6b25hd3MuY29tIiwiaWF0IjoxNDc0NjQxMjg0LCJub25jZSI6IjM4MDRGNjFENzExQzQ0RUI5MEUzQTU2MjBCRjk4NjBGIiwiZXhwIjoxNDc0NjQ1Mjg0fQ.C6QaKo9ZI7xWda5kW-8eIpmuKOHpMtUpSAS6vnUPIAE",
"refresh_token": "e5879f73ca3a443294954d3392aea503",
"token_type": "bearer"
}
Make a GET request to the Serpense ID service as follows:
user_client_info_json=connected_app.validate_mid_token_against_id_service(magen_id_token)
This will return json data as follows:
{
'registered_on': datetime.datetime(2016, 10, 18, 19, 30, 56, 344000),
'magen_client_id': 'f188e24bcf844dfed15978931bfbdd5c',
'department': '',
'idp': 'serpense_box',
'exp': 1478551120,
'email_verified': 'true',
'picture': None,
'group': 'standard',
'aud': 'RnMgyXCfK5d6G5vdwEIO44HCULMf1JUGpTlahH5x5SJ86O7zNbPiVNHvL7iA',
'role': '',
'iss': 'https://ids.clus16-magen.com',
'last_name': '',
'username': 'asambors@bu.edu',
'sub': 'asambors@bu.edu',
'iat': 1478547120,
'locale': None, 'first_name': ''
}
The Serpense architecture is based on multiple microservice or APIs layers. In this architecture, each layer is isolated from other layers. In the microservice or APIs environment delegation protocol is the best way to maintain federated identity.
Serpense ID service is responsible for maintaining federated identity accross the same or external security domain using the delegation protocol. In the real world, delegation is where you delegate someone to do something for you. In the web realm, the underlying message is there, yet it also means having the ability to offer, accept, or deny the exchange of data. The delegation protocols like OAuth, OpenID Connect or SAML allows one to combine the benefits of isolated deployment with the ease of a federated identity.
Serpense ID service is built on OpenID Connect protocol to give the client something other than the opaque access token provided by OAuth Flow. In this process, the Serpense ID service returns an Serpense ID Token along with the Access Token to the client. The ID token contains information about the user, such as how they authenticated, the name, email, and any number of custom data points on a user. This ID token takes the form of a JSON Web Token (JWT), which is a coded and signed compilation of JSON documents. The document includes a header, body, and a signature appended to the message. Data + Signature = JWT.
Using a JWT, you can access the public part of a certificate, validate the signature, and understand that this authentication session was issued — verifying that the user has been authenticated. An important facet of this approach is that ID tokens establish trust between the Authorization Server/Open ID Connect Provider and the Client.
JWT is an efficient method because it erases the need to call again for additional information about the authenticated user but the downside of this method is that this public user information can be read easily read, exposing the data to an unnecessary risk of decryption attempts to crack codes.
To limit this risk of exposure, it is highly recommended to validate the magen_id_token when the token is passed from one microservice to another micoservice.