Clients
Client Applications
LabShare Auth applications (aka OpenID Connect Clients) can be registered using the admin Client REST APIs or through the Auth Admin UI Apps dashboard.
The following application types are currently supported: Native, Web, SAML, and WSFed.
Single Page Apps
LabShare Auth supports the Implicit Grant OAuth2 flow for Single Page Applications.
Server-side Web Applications
LabShare Auth supports the Authorization Code Grant OAuth2 flow for traditional server-side web application.
- Register a “web” client on the applications dashboard of the Auth UI.
- Obtain the a new application’s client ID and client secret and store them securely on the web application server.
- Use the
GET /auth/{tenantID}/authorizeendpoint to obtain an Authorization Code and then exchange it for an access token via thePOST /auth/{tenantID}/tokenendpoint.
LabShare Auth OAuth2 Client Authorization
As an Authorization server, LabShare Auth provides layered authorization options for OAuth Clients, Resource Servers (APIs), and Users registered to the system.
Web and Native Apps
To create a new Web client or a new Native client, these are a few required fields:
- Client name
- Client id
- Grant types
- Response types
- Callback URLs
- Post-logout redirect URLs
- Identity Providers
The other fields can be left blank when first creating the client.
| Field | Description | Example |
|---|---|---|
| Name | Human-friendly name of the client application | My Sample App |
| Client Id | A unique string | my-sample-app |
| Application Type | Choose between: SAML, WSFed, Web, or Native | web |
| Callback URLs | An array of callback URLs. For web clients, must use HTTPS | https://localhost:5000 |
| Post Logout Redirect URLs | An array of logout redirect URLs | https://local.mylocal.org:3001 |
| Federated Logout | ||
| Show Logout Prompt | ||
| Legacy Application Compatibility | ||
| Client AD Groups | The active directory user groups | ad_group1 |
| Response Types | The types of responses: code, id_token, id_token token, code id_token, code token, code id_token token | code id_token |
| Grant Types | The types of grants: authorization_code, implicit, refresh_token, client_credentials | |
| Token Endpoint Auth Method | The auth method: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, none | |
| Providers | The list of available providers |
Sample Web Client
{
"id": 45654,
"clientId": "imported-client-id",
"clientSecret": "1234567-0f56-4a3c-b641-123456789012",
"name": "imported-client-name",
"description": "This client was imported from sample-import-web-client.json.",
"clientUri": "https://imported.localhost:8080",
"config": {
"grantTypes": [
"implicit",
"refresh_token"
],
"responseTypes": [
"code id_token"
],
"callbackUrls": [
"https://imported.localhost:8080/callback"
],
"postLogoutRedirectUris": [
"https://imported.localhost:8080/post-logout"
],
"tokenEndpointAuthMethod": "client_secret_jwt",
"logout": {
"frontchannelLogout": {
"enabled": false
},
"showLogoutPrompt": true
},
"featureToggles": {
"enableLegacyApplicationCompatibility": false
},
"adGroups": [
"admins",
"group_of_imported_clients"
],
"restrictAccess": {
"byEmail": {
"blacklist": [
"bl1@email.com",
"bl2@email.com"
],
"whitelist": [
"wl1@email.com",
"wl2@email.com"
]
},
"byIdentityProvider": []
}
},
"loginEventSettings": null,
"metadata": {
"src": "/src/templates/sample-import-web-client.json"
},
"tenantId": 1,
"type": "web",
"createdOn": "2020-09-10T18:23:21.000Z"
}
SAML Client Apps
To create a new SAML client, these are the required fields:
- Name
- Client id
- Identity provider.
You can use preset configurations for AWS, ZOOM, and Jira. You can also leave the configuration empty.
Application Settings
| Field | Description | Example |
|---|---|---|
| Name | The user-friendly name of the client application | Test SAML App |
| Client ID | The unique client id | test-saml-app |
| Application Type | The application type | saml |
| Signing Certificate | A .pem file | none selected |
| Providers | The list of available providers | |
| Config | The SAML configuration. See some preset configs for AWS, Zoom, and Jira, below. |
Preset AWS Configuration
{
"adGroups": [],
"scripts": {
"checkAuthorization": "",
"mapClaims": ""
},
"restrictAccess": {
"byEmail": {
"blacklist": [],
"whitelist": []
}
},
"signingCert": "",
"cert": "-----BEGIN CERTIFICATE-----\r\n12345678\r\n-----END CERTIFICATE-----\r\n",
"key": "-----BEGIN RSA PRIVATE KEY-----\r\n12345678\r\n-----END RSA PRIVATE KEY-----\r\n"
}
Preset ZOOM Configuration
{
"audience": "https://example.zoom.us/saml/SSO",
"recipient": "https://example.zoom.us/saml/SSO",
"destination": "https://example.zoom.us/saml/SSO"
}
Preset Jira Configuration
{
"audience": "https://id.atlassian.com/login",
"recipient": "https://id.atlassian.com/login/saml/acs",
"relayState": "https://tenant.atlassian.net",
"destination": "https://id.atlassian.com/login/saml/acs",
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
]
}
Sample SAML Client
{
"id": 2283,
"clientId": "samltestid",
"clientSecret": "asdfnfL7SgKSa123456789012",
"name": "SAMLTestid",
"description": "my test app",
"clientUri": "test.com",
"config": {
"signingCert": "",
"scripts": {
"mapClaims": "module.exports = function ({secrets: {claims}}, callback) {\n // Map claims to assertion URIs. \n var mappedClaims = {};\n // copy claims to mapped claims\n console.log(\"SAML Test -- pre-mapped claims: \", JSON.stringify(claims));\n console.log(\"{ \\\"labels\\\": [ \\\"log_test\\\", \\\"auth_test\\\" ], \\\"message\\\": \\\"Test message\\\" }\");\n if (claims.email==='ignacio@coolurl.io') {\n const error = new Error('User blocked by scripted rule. ' + claims.email);\n error.status = error.statusCode = 403;\n error.expose = true;\n callback(error, null);\n } else \n {\n Object.assign(mappedClaims, claims);\n mappedClaims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email'] = claims.email;\n mappedClaims['http://schemas.xmlsoap.org/claims/upn'] = claims.uuid;\n mappedClaims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/provider'] = claims.provider;\n callback(null, mappedClaims);\n }\n}"
},
"adGroups": [],
"restrictAccess": {
"byEmail": {
"blacklist": [],
"whitelist": []
},
"byIdentityProvider": [
{
"name": "google",
"byEmail": {
"whitelist": [
"one@acme.com",
"another@acme.com"
]
}
}
]
},
"logout": {
"callback": "https://samltest.id/idp/profile/SAML2/Redirect/SLO"
},
"audience": "https://samltest.id/saml/sp",
"recipient": "https://samltest.id/Shibboleth.sso/SAML2/POST",
"destination": "https://samltest.id/Shibboleth.sso/SAML2/POST",
"callbackUrls": [],
"lifetimeInSeconds": 7200,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"cert": "-----BEGIN CERTIFICATE-----\r\nMIICiTCCA.....Ay0lCfok=\r\n-----END CERTIFICATE-----\r\n",
"key": "-----BEGIN RSA PRIVATE KEY-----\r\nMIICXQIBAAK...8oEcEjBU\r\n-----END RSA PRIVATE KEY-----\r\n"
},
"loginEventSettings": null,
"metadata": {},
"tenantId": 1,
"type": "saml",
"createdOn": "2020-04-28T20:04:40.000Z",
"activeX509CertificateFingerprint": null
}
WSFed Client Apps
To create a new WSFed client, these are the required fields:
- Name
- Client id
- Identity provider.
Application Settings
| Field | Description | Example |
|---|---|---|
| Name | The user-friendly name of the client application | Test WSFed App |
| Client ID | The unique client id | test-wsfed-app |
| Application Type | The application type | wsfed |
| Signing Certificate | A .pem file | none selected |
| Providers | The list of available providers | |
| Config | The WSFed configuration. See the preset configs below. |
Preset Configuration
{
"key": "-----BEGIN RSA PRIVATE KEY-----\r\n12345678\r\n-----END RSA PRIVATE KEY-----\r\n",
"cert": "-----BEGIN CERTIFICATE-----\r\n12345678\r\n-----END CERTIFICATE-----\r\n",
"sites": [],
"adGroups": [],
"restrictAccess": {
"byEmail": {
"blacklist": [],
"whitelist": []
}
},
"lifetimeInSeconds": 28800
}
Sample WSFed Client
{
"id": 29485,
"clientId": "a-ci-wsfed-test",
"clientSecret": "1234567-6b85-43eb-9777-123456789012",
"name": "My WSFed Test app",
"description": null,
"clientUri": null,
"config": {
"key": "-----BEGIN RSA PRIVATE KEY-----\r\nMIICW.....u25N9hH98xw==\r\n-----END RSA PRIVATE KEY-----\r\n",
"cert": "-----BEGIN CERTIFICATE-----\r\nMIIB8TCCAx....ZHrp1Xy72\r\n-----END CERTIFICATE-----\r\n",
"sites": [],
"adGroups": [],
"restrictAccess": {
"byEmail": {
"blacklist": [],
"whitelist": []
}
},
"lifetimeInSeconds": 28800
},
"loginEventSettings": null,
"metadata": {},
"tenantId": 1,
"type": "wsfed",
"createdOn": "2019-10-02T14:21:23.000Z",
"activeX509CertificateFingerprint": null,
"lastClientSecretUpdate": "2021-01-07T20:59:30.000Z",
"clientSecretExpirationHasBeenNotified": false,
"notifyExpirationBeforeSeconds": 0,
"secretLifetimeInSeconds": null,
"lastClientSecretExpirationNotifiedDate": null,
"loginPages": [
{
"id": 50,
"tenantId": 1,
"config": {
"panel": {
"banner": null
},
"footer": {
"banner": null
},
"disclaimer": {
"enabled": false,
"text": ""
},
"images": []
},
"clientId": 1891,
"createdAt": "2020-08-19T22:17:01.000Z",
"updatedAt": "2020-08-19T22:17:01.000Z"
}
],
"creationEnv": "a-ci.labshare.org"
}
Creating a new Client
To create a new client, visit here.