Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update client_credentials and user.yaml docs #1082

Merged
merged 3 commits into from
Mar 23, 2023
Merged

Update client_credentials and user.yaml docs #1082

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
84220f7
Update README.md
paulineribeyre Mar 23, 2023
693ccc7
Update user.yaml_guide.md
paulineribeyre Mar 23, 2023
14fba9a
Update README.md
Avantol13 Mar 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -541,7 +541,7 @@ The optional `--expires-in` parameter allows specifying the number of *days* unt

NOTE: In Gen3, you can grant specific access to a client the same way you would to a user. See the [user.yaml guide](https://github.com/uc-cdis/fence/blob/master/docs/user.yaml_guide.md) for more details.

NOTE: Client credentials tokens are not linked to a user. They are not supported by all Gen3 endpoints.
NOTE: Client credentials tokens are not linked to a user (the claims contain no `sub` or `context.user.name` like other tokens). Some Gen3 endpoints that assume the token is linked to a user, or whose logic require there being a user, do not support them. For an example of how to adapt an endpoint to support client credentials tokens, see [here](https://github.com/uc-cdis/requestor/commit/a5078fae27fa258ac78045cf2bb89cb2104f53cf). For an example of how to explicitly reject client credentials tokens, see [here](https://github.com/uc-cdis/requestor/commit/0f4974c25343d2185c7cdb48dcdeb58f97800672).

#### Modify OAuth Client

Expand Down
8 changes: 8 additions & 0 deletions docs/user.yaml_guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,14 @@ The resource tree contains, among other resources, the programs and projects cre
```
Policies would refer to this resource as `/programs/program1/projects/P1`.

There are several ways to attach a policy to a user:
- In the `users` section, under the appropriate username, in the list of `policies`;
- In the `groups` section, add the username to the group's `users` and the policy to the group's `policies`;
- In the `anonymous_policies` group, add policies that anyone should have (there is no need to set specific usernames in this case);
- In the `all_users_policies` group, add policies that all logged in users should have (there is no need to set specific usernames in this case).

Policies can also be attached to Fence OIDC clients in the `clients` section. Use the client's `name` (not `client_id`) to grant access to a client.

### Programs and projects CRUD access

```
Expand Down