Configuring Centrify Service OAuth for Centrify CLI - centrify/centrifycli GitHub Wiki
Centrify OAuth Service for Centrify CLI
Before Centrify CLI can use OAuth against the service, the service must be configured. To configure the service, perform the following steps. The following documentation provides details about the Centrify OAuth service components:
- Adding the OAuth Web Application
- Using OAuth With Centrify CLI
Adding the OAuth Web Application
To add OAuth web application, perform the following steps:
- In the management console, navigate to Apps > Web Apps > then click Add Web Apps.
- Select Custom and search for and add OAuth Client.
- Update the settings of the OAuth Client Application by doing the following:
- Under Settings tab:
- Application ID: Set to "CentrifyCLI" (Centrify CLI defaults to this value).
- Under General tab:
- Issuer: Set to your fully-qualified tenant URL (example: https://myco.mycentrify.com/).
- Client ID Type: Confidential.
- Uncheck the 'Must be OAuth Client' checkbox. Note: You can create a special cloud OAuth user just for this purpose.
- Under Tokens tab:
- Check 'Client Credentials' under 'Auth Methods'. You can uncheck other 'Auth Methods' if desired.
- You can accept the defaults or change the token lifetime. To reduce re-authentication (which requires human intervention), you may prefer a longer token lifetime.
- Under Scope tab:
- Add a scope named "ccli". That is the only scope the application will look for. The "REST Regex" is the pattern you wish to enable for the Centrify CLI; documentation is at https://developer.centrify.com/reference. For example, a scope of '.*' will enable all API calls, while 'UserMgmt/.' would restrict calls to just the User Management section. Security best practice recommends this setting be the minimal set of APIs needed.
- Under Permissions tab:
- Add users that will need OAuth token access; default permissions are fine.
- Save the application.
Using OAuth With Centrify CLI
Requesting a Token
To get a token, use the "requestToken" command (with appropriate credentials). Saving the default config before makes this much more convenient (as URL, application ID, and user name no longer need to be provided):
ccli saveconfig -o -url https://myco.my.centrify.com -u [email protected] -app CentrifyCLI
ccli requesttoken -pw supersecretpw
The requesttoken command will automatically save the token for use with the default config for future use.
Providing a token
Centrify CLI accepts either the entire URI string or the token itself. The URI string has command-line reserved characters (particularly & (ampersand)), and it must be enclosed in quotes (") when on the command line. Because tokens are large (600+ characters), you will want to save the token with the config for future use.
Examples:
ccli saveconfig -o -token "https://myco.my.centrify.com/sysinfo/dummy?state=Y2LL3XV5scOlfFN&access_token=eyJhbGciOiJSU..."
ccli saveconfig -o -token "encoded token string"
Running Centrify CLI with OAuth
Once configured and a token has been saved w
ith the default config, Centrify CLI can easily make any REST calls the OAuth scopes allow without needing to provide authenication arguments (until token expires):
ccli /ServerManage/GetSecretsAndFolders -j "{'Parent': ''}"
Expired Tokens
When a token expires, running Centrify CLI will result in an authentication error. At this point, simply request a new token as before to retrieve/save an updated token:
ccli requesttoken -pw supersecretpw