OAuth for MyProxy GetProxy Endpoint - Implementation
This page describes the technicalities of implementing the OAuth for MyProxy GetProxy Endpoint.
The GetProxy Endpoint has been implemented as modification of the existing OA4MP code. This turned out to be much easier than to implement it as part of the Master Portal code base (which builds on top of the OA4MP code). As a result we have forked OA4MP and its dependency security-lib. This custom OA4MP can be found at the RCauth versions of the OA4MP and security-lib projects. The separation of the two libraries is inherited from the original OA4MP implementation.
The implementation required changes in both the OA4MP library and its dependency security-lib, both are described in the following two subsections.
The OA4MP library has code for both the server-side and clients-side:
The OA4MP Client has to be able to distinguish between cases of requesting an EEC through GetCert and requesting a proxy through GetProxy, since the backend Server is configured to provide one OR the other (EEC or Proxy), not both. This is done with the use of a new OA4MP Client configuration parameter called 'requestProxies'.
|requestProxies||N||false||Enables making requests to the GetProxy Endpoint|
<client name="client-config" address="https://portal.example.edu/portal"> ... <requestProxies>true</requestProxies> ... </client>
By setting this configuration to true a GetProxy Endpoint aware OA2MPProxyService object will be returned to client servlets instead of a OA2MPService object. The servlet can then request a proxy by calling the getProxy(OA2Asset a, ATResponse2 atResponse2) method of the returned object. The GetProxy request is built up internally using the clients' ID, secret and the current transactions' access token. User input (voname and vomses) should be provided to this method via the OA2Asset parameter. The proxylifetime parameter is taken from the 'lifetime' client configuration.
The OA4MP Server has both GetCert and GetProxy Endpoints available at the same time, but the MyProxy Server in its backend can only be configured to return either EEC or Proxy Certificate.
Note: Do NOT use the GetProxy Endpoint when the backend MyProxy Server is configured in CA mode issuing End Entity Certificates! You will end up receiving EEC from the GetProxy Endpoint.
The implementation of the GetProxy servlet is done in OA2ProxyServlet. A successful GetProxy request will execute the following flow in the servlet:
- Step 1 : As mentioned above, the key and CSR generation has been moved away from the OA4MP Client into the Server. The verifyAndGet method creates a new keypair and saves the resulting private key and CSR into the transaction. The proxylifetime, voname and vomses are stripped off from the request and saved in the transaction.
- Step 2 : The checkMPConnection method initiates a new MyProxy connection
- Step 3 : The getX509Certificates method inserts the proxylifetime, voname and vomses values into the MyProxy connection after which proceeds to execute a MyProxy GET command, returning the certificate chain created.
- Step 4 : The preprocess method is called before the resulting certificate chain is written out into the response buffer. Here, the MyX509Certificates holding only the certificate chain is swapped out to a MyX509Proxy object containing the same certificate chain, together with the private key from the transaction (saved in Step 1).
The OA4MP project builds on top of the security-lib project, and therefore some of the modified code logically belongs into this project.
The original OA4MP uses MyX509Certificates as a container to transmit and receive certificate chains. With the extension of GetProxy Endpoint, this container class is no longer sufficient to transmit proxies around, because it cannot hold the proxy's private key. A new container under the name of MyX509Proxy has been implemented which extends MyX509Certificates.
The ProxyUtil class holds a set of static methods used for proxy transformation and generation. This class works with the aid of a newly introduced dependency: canl-java. At the time of this writing the canl version integrated was version 2.6.0.
A new request server called PPServer2 (Protected Proxy Server 2) has been added after the model of PAServer2 used for GetCert Requests. The new PPServer2 class sets GetProxy request parameters and creates a MyX509Proxy out of the response.