API account/search: Full authentication is required to access this resource

[chaen]

Hi,

I wanted to use the account/search API to list the users in IAM.

For that, I created a new client, gave it the iam:admin.read scope, and enabled the client_credentials flow.

I can successfully get a token:

curl -q -L -s  -u ${CLIENT_ID}:${CLIENT_SECRET}  -d grant_type=client_credentials -d scope=iam:admin.read     ${IAM_TOKEN_ENDPOINT} > /tmp/token.json

export AT=$(cat /tmp/token.json  | jq ".access_token")

$ echo ${AT} | awk -F '.' {'print $2'} | base64 -d  | jq
base64: invalid input
{
  "wlcg.ver": "1.0",
  "sub": "91eda42f-2154-4168-892f-60a265d95564",
  "aud": "https://wlcg.cern.ch/jwt/v1/any",
  "nbf": 1705930415,
  "scope": "iam:admin.read",
  "iss": "https://lhcb-auth.web.cern.ch/",
  "exp": 1705934015,
  "iat": 1705930415,
  "jti": "206f02c3-a1f2-4749-9a0e-2d38b60ab929",
  "client_id": "91eda42f-2154-4168-892f-60a265d95564"
}

But calling the API results in an error

$ curl -s -H "Authorization: Bearer ${AT}" -L http://lhcb-auth.web.cern.ch/iam/account/search 
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

Any pointer to what I should do ? Thanks

[rmiccoli]

Hi,

everything seems correct to me except the endpoint. Is it https://lhcb-auth.web.cern.ch/iam/account/search (not http), right?

[chaen]

Stupid me ! I blindly copied/paste what's in the doc, which relies on http://localhost :man_facepalming:
Also, the jq command is not correct, it needs to be export AT=$(cat /tmp/token.json | jq -r ".access_token")

That was a proper PEBCAK ticket :-D Thanks