OpenID Connect on Open Industrial Data

  • 18 July 2022
  • 4 replies
  • 585 views

Userlevel 3
Badge +2

OpenID Connect is now available on Open Industrial Data (OID). When you sign up to Cognite Hub, you get an account for the Open Industrial Data project.

Whether you are new to OID or have been using API keys to access the data in this project, here’s all you need to get started with OIDC.

Details to create the Cognite client 

  • Tenant ID - 48d5043c-cf70-4c49-881c-c638f5796997,

  • Client ID - 1b90ede3-271e-401b-81a0-a4d52bea3273,

  • project=publicdata,

  • CDF_CLUSTER - api

  • App name: OID-Api

Note: This app registration is configured with replyURLs for Postman and to run locally in http/https.

 

Details to create the cognite client when using JavaScript applications

  • Tenant ID - 48d5043c-cf70-4c49-881c-c638f5796997,

  • Client ID - dea6bb8d-0f48-4bf0-a469-176fc19edc14,

  • project=publicdata,

  • CDF_CLUSTER - api

  • App name: OID-js

Note: This app registration is configured with replyURL to run locally with http/https.

 

How to use Postman with OIDC?

We recommend that you download, install and use Postman to test API requests and verify responses.

Update authorization: https://docs.cognite.com/dev/guides/postman/#step-3-update-authorization

 

How to use Cognite python SDK with OIDC?

You can authenticate the Python SDK with Azure AD by using a token retrieved when a user authenticates or with a static client secret for long-running jobs like extractors.

Learn more: https://docs.cognite.com/dev/guides/sdk/python/python_auth_oidc


 

How to use Cognite JavaScript SDK with OIDC?

You can follow this guide on how to authenticate with JavaScript SDK

Learn more: https://docs.cognite.com/dev/guides/sdk/js/

 

For being able to use the client credentials flow, you will need a client secret. You can generate the client secret on the following link:

How to generate a client secret for Open Industrial Data?

 

Let me know if you have any questions!


4 replies

Hello, 

I’m using the Cognite Python SDK to query some data from the OpenIndustrialData project. I’m confused about the new OIDC authentication process.

[This guide](https://docs.cognite.com/dev/guides/sdk/python/) mentions that the following arguments should be passed to the `CogniteClient`:

from cognite.client import CogniteClient

client = CogniteClient(
token_url= "<token-url>",
token_client_id= "<your-client-id>",
token_client_secret="<client-secret>",
token_scopes="<scope>",
project= "<your-cognite-project>",
base_url=f"https://{$cdf_cluster}.cognitedata.com",
client_name="<your-client-name>",
)

Alternatively, an api-key can be passed (although this process is being deprecated):

from cognite.client import CogniteClient

c = CogniteClient(api_key="<your-api-key>",
client_name="<your-client-name>")

However, as of cognite-sdk Python package version 4.0.1 the `CogniteClient` still expects `config` of class `ClientConfig` as an argument. Passing `token_url` or `api_key` as an argument throws an “unexptected keyword argument” error.

Would you be able to clarify how we are expected to authenticate to access data from the OpenIndustrialData project using the Python SDK?

Thanks

Userlevel 3
Badge +2

Hi Denis,

Our engineering team has done some changes to authenticate CDF via SDK on the 15th Aug 2022 as stated in Cognite python sdk repository. 

https://github.com/cognitedata/cognite-sdk-python/blob/f7821557cec0be48c4a1e7a8aa6ba741775137a4/CHANGELOG.md


SDK team has already updated this in our python sdk docs. However, some code samples and parts of the docs are still not updated and I have opened a separate bug to update those.

 

You can use the below code sample to access OpenIndustrialData project with interactive login and token refresh.

import atexit
import os

from cognite.client import CogniteClient, ClientConfig
from cognite.client.credentials import Token
from msal import PublicClientApplication, SerializableTokenCache

# Contact Project Administrator to get these
TENANT_ID = "48d5043c-cf70-4c49-881c-c638f5796997"
CLIENT_ID = "1b90ede3-271e-401b-81a0-a4d52bea3273"
CDF_CLUSTER = "api" # api, westeurope-1 etc
COGNITE_PROJECT = "publicdata"

CACHE_FILENAME = "cache.bin"
SCOPES = [f"https://{CDF_CLUSTER}.cognitedata.com/user_impersonation"]

AUTHORITY_HOST_URI = "https://login.microsoftonline.com"
AUTHORITY_URI = AUTHORITY_HOST_URI + "/" + TENANT_ID
PORT = 53000


def create_cache():
cache = SerializableTokenCache()
if os.path.exists(CACHE_FILENAME):
cache.deserialize(open(CACHE_FILENAME, "r").read())
atexit.register(lambda:
open(CACHE_FILENAME, "w").write(cache.serialize()) if cache.has_state_changed else None
)
return cache


def authenticate_azure(app):
# Firstly, check the cache to see if this end user has signed in before
accounts = app.get_accounts()
if accounts:
creds = app.acquire_token_silent(SCOPES, account=accounts[0])
else:
# interactive login - make sure you have http://localhost:port in Redirect URI in App Registration as type "Mobile and desktop applications"
creds = app.acquire_token_interactive(scopes=SCOPES, port=PORT,)

return creds


app = PublicClientApplication(client_id=CLIENT_ID, authority=AUTHORITY_URI)


def get_token():
return authenticate_azure(app)["access_token"]



cnf = ClientConfig(client_name="my-special-client", project="publicdata", credentials=Token(get_token))
client = CogniteClient(cnf)

print(client.iam.token.inspect())

Thanks,

Shehan.

Userlevel 2

Hi @gontcharovd! You’re right, it has been changed in the most recent version of the Python SDK, and the new pattern should be documented here: https://cognite-docs.readthedocs-hosted.com/projects/cognite-sdk-python/en/latest/cognite.html#authenticate

I wrote an example of how you can access Open Industrial Data using OIDC with the Python SDK here. A bit of extra code is needed to manage the interactive login flow on the identity provider (Azure) for human users :)

 

Edit: @Shehan Karunaratne got to it just before me :) Now you have a couple of alternatives to choose from :) 

Userlevel 1
Badge +1

Hi @Shehan Karunaratne , we have extractors set-up that gets data from publicdata. How can we request for the client secret? We would not be able to use the interactive log-in.

Reply