Skip to content

Commit

Permalink
Update client_credentials and user.yaml docs (#1082)
Browse files Browse the repository at this point in the history
  • Loading branch information
paulineribeyre authored Mar 23, 2023
1 parent cc7bad6 commit 5f72a06
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -541,7 +541,7 @@ The optional `--expires-in` parameter allows specifying the number of *days* unt

NOTE: In Gen3, you can grant specific access to a client the same way you would to a user. See the [user.yaml guide](https://github.com/uc-cdis/fence/blob/master/docs/user.yaml_guide.md) for more details.

NOTE: Client credentials tokens are not linked to a user. They are not supported by all Gen3 endpoints.
NOTE: Client credentials tokens are not linked to a user (the claims contain no `sub` or `context.user.name` like other tokens). Some Gen3 endpoints that assume the token is linked to a user, or whose logic require there being a user, do not support them. For an example of how to adapt an endpoint to support client credentials tokens, see [here](https://github.com/uc-cdis/requestor/commit/a5078fae27fa258ac78045cf2bb89cb2104f53cf). For an example of how to explicitly reject client credentials tokens, see [here](https://github.com/uc-cdis/requestor/commit/0f4974c25343d2185c7cdb48dcdeb58f97800672).

#### Modify OAuth Client

Expand Down
8 changes: 8 additions & 0 deletions docs/user.yaml_guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,14 @@ The resource tree contains, among other resources, the programs and projects cre
```
Policies would refer to this resource as `/programs/program1/projects/P1`.

There are several ways to attach a policy to a user:
- In the `users` section, under the appropriate username, in the list of `policies`;
- In the `groups` section, add the username to the group's `users` and the policy to the group's `policies`;
- In the `anonymous_policies` group, add policies that anyone should have (there is no need to set specific usernames in this case);
- In the `all_users_policies` group, add policies that all logged in users should have (there is no need to set specific usernames in this case).

Policies can also be attached to Fence OIDC clients in the `clients` section. Use the client's `name` (not `client_id`) to grant access to a client.

### Programs and projects CRUD access

```
Expand Down

0 comments on commit 5f72a06

Please sign in to comment.