http-api

RESTful HTTP-API for the B2STAGE service inside the EUDAT project

View the Project on GitHub EUDAT-B2STAGE/http-api

Authentication via the B2ACCESS service

The B2STAGE HTTP-API uses the OAuth2 authorization framework to obtain limited access to B2ACCESS user accounts. It works by delegating user authentication to the service that hosts the user account (B2ACCESS), and authorizing third-party applications (B2STAGE HTTP-API) to access the user account.

Therefore, to use the B2STAGE HTTP-API service, you must first register a new B2ACCESS personal account and get valid credentials.

To manage B2STAGE HTTP-API authentication the following enpoints are available:

Endpoints

  1. /auth/askauth - request an access token
  2. /auth/proxy - request a new proxy certificate

Authentication token

This operation is needed the very first time a user needs to get access to the B2STAGE HTTP-API and every time the B2ACCESS “access token” expires.

To get an authentication token:

  1. visit the following URL via a web browser:

     <http_server:port>/auth/askauth

    You will be redirect to the B2ACCESS log in page.

  2. Log in using your EUDAT credentials. You will be redirect to a web page where you are prompted to authorize the B2STAGE HTTP-API to access some user profile information.

  3. Click on “Confirm” to authorize the the B2STAGE HTTP-API.

  4. You will be redirect to a page containing the authentication token, the B2SAFE home path and your B2SAFE username like in the following response example:

{
  "Meta": {
    "data_type": "<class 'dict'>",
    "elements": 3,
    "errors": 0,
    "status": 200
  },
  "Response": {
    "data": {
      "b2safe_home": "/path/to/home/directory",
      "b2safe_user": "myusername",
      "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJocHdkIjpudWxsLCJleHAiOjE0ODI1NzQ2MjYsIm5iZiI6MTQ3OTk4MjYyNiwiaWF0IjoxNDc5OTgyNjI2LCJ1c2VyX2lkIjoiYjI3ZGM4ZDQtMWM4Yi00YjYxLWI2OWUtZjAzOWNlNGYyYjc2IiwianRpIjoiMDc0YjhiYmQtMDcwYy00MDQxLWJhN2UtMjRjZDE3NGZlODhhIn0.JQKXId5HocLF7FcHG5N8m_-aRxITw-XwfL33av5oQMY"
    },
    "errors": null
  }
}

The token received (in our example: “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJocHdkIjpudWxsLCJleHAiOjE0ODI1NzQ2MjYsIm5iZiI6MTQ3OTk4MjYyNiwiaWF0IjoxNDc5OTgyNjI2LCJ1c2VyX2lkIjoiYjI3ZGM4ZDQtMWM4Yi00YjYxLWI2OWUtZjAzOWNlNGYyYjc2IiwianRpIjoiMDc0YjhiYmQtMDcwYy00MDQxLWJhN2UtMjRjZDE3NGZlODhhIn0.JQKXId5HocLF7FcHG5N8m_-aRxITw-XwfL33av5oQMY”) is needed for each HTTP request

B2ACCESS CA Proxy Ceritificate

To interact with B2SAFE, the B2STAGE HTTP-API server uses a X.509 proxy certificate generated by the B2ACCESS Certification Authority. The proxy has a short duration (tipically 12 hours) and need to be regenerated when expired. When the proxy certifcated expires an error like the following will be returned:

{
   "Meta":{
      "data_type":"<class 'NoneType'>",
      "elements":0,
      "errors":1,
      "status":500
   },
   "Response":{
      "data":null,
      "errors":[
         {
            "Expired proxy credential":"'/C=DE/L=B2ACCESS/O=FZJ/OU=JSC/CN=e280fe69-3753-4061-9d9d-c52aa34324eb/CN=Name Surnmae' became invalid 675 minutes ago.\nTo refresh the proxy make 'POST' on URI '/auth/proxy'"
         }
      ]
   }
}

To get generate a new proxy certificate send a POST request using the /auth/proxy endpoint as show below:

$ curl -X POST\
  -H "Authorization: Bearer <auth_token>" \
  <http_server:port>/auth/proxy

Response if the proxy was successfully generated

{
  "Meta": {
    "data_type": "<class 'dict'>",
    "elements": 1,
    "errors": 0,
    "status": 200
  },
  "Response": {
    "data": {
      "Completed": "New proxy was generated."
    },
    "errors": null
  }
}

Response if the proxy is still valid

{
  "Meta": {
    "data_type": "<class 'dict'>",
    "elements": 1,
    "errors": 0,
    "status": 200
  },
  "Response": {
    "data": {
      "Completed": "Current proxy is still valid."
    },
    "errors": null
  }
}