Skip to content

Register a EuroDaT Client

You need to register a EuroDaT Client before it is able to connect to your EuroDaT instance. If you are the administrator of a EuroDaT instance, you can use the script cluster/scripts/register_client.sh.

The tls.crt corresponding to the client secret is required, see our tutorial how to generate a client secret

Registration Script Usage

Run the following command to register a client:

    ./cluster/scripts/register_client.sh \
      --context $PLATFORM_CONTEXT \
      --idp-context $IDP_CONTEXT \
      --tls-cert-path $PATH_TO_CLIENT_TLS_CRT \
      --client-id $CLIENT_ID \
      --participant $PARTICIPANT \
      --purpose $PURPOSE
  • --context: Kubernetes context of the EuroDaT platform cluster to use for registration.
  • --idp-context: Kubernetes context of the IdP cluster to use for authentication.
  • --tls-cert-path: Path to client's certificate.
  • --client-id: Unique identifier for the client being registered.
  • --participant: The row-based security identifier for the client.
  • --purpose: The purpose of the client (APPS, TRANSACTIONS, SAFEDEPOSITS)

If you want to register a multi-purpose client, you have to repeat --purpose for each purpose. The token will contain all registered purposes, as well as the participant claim. Please note that a participant can register many clients, but each client can only have one participant, such that the client_id to participant mapping is unique.

The required realm is dependent on the environment you want to register your client for, e.g., eurodat-int for the integration environment. When contexts are provided, the script automatically extracts the following from Kubernetes: - REALM: Extracted from the ConfigMap in the platform cluster. - PLATFORM_URL: Extracted from the ConfigMap in the platform cluster. - USER_REGISTRATOR_SECRET: Extracted from the user-registrator-secret in the IdP cluster. and thus these variables must not be provided explicitly. If --context is not provided, then the following options must be specified:

  • --realm: The realm you want to register this client for
  • --platform-url: The URL of the cluster where the platform is deployed
  • --idp-url: URL of the Identity Provider used

Since public access to the Keycloak admin console is disabled, the script establishes a temporary kubectl port-forward to the Keycloak pod in the IdP cluster.

Registration Workflow at EuroDaT

The register_client.sh script performs the following steps: 1. Extraction: Retrieves configuration (Realm, URL) from the Platform cluster. 2. Secret Retrieval: Fetches Admin and Registrator credentials from the IdP cluster. 3. Connectivity: Establishes a port-forward to Keycloak. 4. Keycloak Registration: Authenticates as Realm Admin and creates/updates the OIDC client with the provided certificate. 5. Platform Mapping: Authenticates as user-registrator and registers the unique client_id to participant mapping in the EuroDaT platform.

sequenceDiagram
    participant CB as Client Backend
    participant EC as EuroDaT Controller
    participant KC as Keycloak
    CB->>EC: Call registration endpoint<br>with client name and certificate
    alt New client
        EC->>KC: Create client with certificate
    else Client exists
        EC->>KC: Throw error
    end