Merge pull request #8 from GenomicDataInfrastructure/7-gdi-dataset-di…

…scovery-service-spike-how-are-ls-aai-access-token-passport-and-visas-retrieved-via-keycloak 7 gdi dataset discovery service spike how are ls aai access token passport and visas retrieved via keycloak
GenomicDataInfrastructure · Apr 5, 2024 · 560f13d · 560f13d
2 parents e3e94f9 + 02f043b
commit 560f13d
Show file tree

Hide file tree

Showing 7 changed files with 133 additions and 5 deletions.
diff --git a/_http/.env.example b/_http/.env.example
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2024 PNED G.I.E.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+KEYCLOAK_HOST=https://keycloak-test.healthdata.nl
+KEYCLOAK_REALM=ckan
+KEYCLOAK_PROVIDER_ALIAS=LSAAI
+ACCESS_TOKEN=dummy
diff --git a/_http/.gitignore b/_http/.gitignore
diff --git a/_http/keycloak.http b/_http/keycloak.http
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2024 PNED G.I.E.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+GET {{$dotenv KEYCLOAK_HOST}}/realms/{{$dotenv KEYCLOAK_REALM}}/broker/{{$dotenv KEYCLOAK_PROVIDER_ALIAS}}/token
+Authorization: Bearer {{$dotenv ACCESS_TOKEN}}
diff --git a/src/main/openapi/beacon.yaml b/src/main/openapi/beacon.yaml
@@ -14,6 +14,13 @@ paths:
     post:
       summary: Searches for individuals based on criteria
       operationId: list_individuals
+      parameters:
+        - name: Authorization
+          in: header
+          description: The authorization header
+          required: true
+          schema:
+            type: string
       tags:
         - "beacon-query"
       requestBody:
@@ -28,6 +35,8 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/BeaconIndividualsResponse"
+        "401":
+          description: "Unauthorized"
       security:
         - beacon_auth:
             - read:beacon
@@ -37,13 +46,22 @@ paths:
       operationId: list_filtering_terms
       tags:
         - "beacon-query"
+      parameters:
+        - name: Authorization
+          in: header
+          description: The authorization header
+          required: true
+          schema:
+            type: string
       responses:
         "200":
           description: A list of filtering terms
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/BeaconFilteringTermsResponse"
+        "401":
+          description: "Unauthorized"
       security:
         - beacon_auth:
             - read:beacon

diff --git a/src/main/openapi/ckan.yaml b/src/main/openapi/ckan.yaml
@@ -60,6 +60,12 @@ paths:
           required: false
           schema:
             type: string
+        - name: Authorization
+          in: header
+          description: The authorization header
+          required: false
+          schema:
+            type: string
       responses:
         "200":
           description: A list of packages matching the search criteria
@@ -80,6 +86,12 @@ paths:
           required: true
           schema:
             type: string
+        - name: Authorization
+          in: header
+          description: The authorization header
+          required: false
+          schema:
+            type: string
       responses:
         "200":
           description: The package with the specified ID

diff --git a/src/main/openapi/keycloak.yaml b/src/main/openapi/keycloak.yaml
@@ -0,0 +1,82 @@
+# SPDX-FileCopyrightText: 2024 PNED G.I.E.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+openapi: 3.0.3
+info:
+  title: Keycloak API
+  version: 1.0.0
+  description: This API allows to query the Keycloak identity provider
+servers:
+  - url: /
+paths:
+  /broker/{providerAlias}/token:
+    get:
+      summary: Retrieves tokens from the identity provider
+      operationId: retrive_idp_tokens
+      tags:
+        - "keycloak-query"
+      parameters:
+        - name: providerAlias
+          in: path
+          description: The alias of the identity provider
+          required: true
+          schema:
+            type: string
+        - name: Autorization
+          in: header
+          description: The authorization header
+          required: true
+          schema:
+            type: string
+      responses:
+        "200":
+          description: A list of packages matching the search criteria
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/KeycloakTokenResponse"
+        "401":
+          description: "Unauthorized"
+      security:
+        - keycloak_auth:
+            - read:token
+components:
+  securitySchemes:
+    keycloak_auth:
+      type: oauth2
+      description: This API uses OAuth 2 with the implicit grant flow.
+      flows:
+        authorizationCode:
+          tokenUrl: https://api.example.com/oauth2/token
+          authorizationUrl: https://api.example.com/oauth2/authorize
+          scopes:
+            read:token: read tokens
+  schemas:
+    KeycloakTokenResponse:
+      type: object
+      properties:
+        access_token:
+          type: string
+          title: The access token
+        expires_in:
+          type: integer
+          title: The expiration time of the token
+        refresh_expires_in:
+          type: integer
+          title: The expiration time of the refresh token
+        token_type:
+          type: string
+          title: The type of the token
+        id_token:
+          type: string
+          title: The ID token
+        not-before-policy:
+          type: integer
+          title: The not-before policy
+        scope:
+          type: string
+          title: The scope of the token
+        accessTokenExpiration:
+          type: integer
+          title: The expiration time of the access token
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -11,7 +11,6 @@ quarkus.keycloak.devservices.port=32794
 quarkus.wiremock.devservices.port=4000
 quarkus.oidc.client-id=backend-service
 quarkus.oidc.credentials.secret=secret
-# Enable Policy Enforcement
 quarkus.openapi-generator.codegen.spec.discovery_yaml.enable-security-generation=false
 quarkus.openapi-generator.codegen.spec.discovery_yaml.additional-model-type-annotations=@lombok.Data;@lombok.NoArgsConstructor;@lombok.AllArgsConstructor;@lombok.Builder
 quarkus.openapi-generator.codegen.spec.discovery_yaml.base-package=io.github.genomicdatainfrastructure.discovery
@@ -25,3 +24,10 @@ quarkus.openapi-generator.codegen.spec.beacon_yaml.enable-security-generation=fa
 quarkus.openapi-generator.codegen.spec.beacon_yaml.base-package=io.github.genomicdatainfrastructure.discovery.remote.beacon
 quarkus.openapi-generator.codegen.spec.beacon_yaml.additional-model-type-annotations=@lombok.Data;@lombok.NoArgsConstructor;@lombok.AllArgsConstructor;@lombok.Builder
 quarkus.openapi-generator.codegen.spec.beacon_yaml.generate-part-filename=false
+quarkus.openapi-generator.codegen.spec.keycloak_yaml.enable-security-generation=false
+quarkus.openapi-generator.codegen.spec.keycloak_yaml.base-package=io.github.genomicdatainfrastructure.discovery.remote.keycloak
+quarkus.openapi-generator.codegen.spec.keycloak_yaml.additional-model-type-annotations=@lombok.Data;@lombok.NoArgsConstructor;@lombok.AllArgsConstructor;@lombok.Builder
+quarkus.openapi-generator.codegen.spec.keycloak_yaml.generate-part-filename=false
+quarkus.rest-client.ckan_yaml.url=http://localhost:4000
+quarkus.rest-client.keycloak_yaml.url=http://localhost:4000
+quarkus.rest-client.beacon_yaml.url=http://localhost:4000