Difference between revisions of "OAuth for MyProxy GetProxy Endpoint"
From PDP/Grid Wiki
Jump to navigationJump to search| Line 1: | Line 1: | ||
| − | [http://grid.ncsa.illinois.edu/myproxy/oauth/ OAuth for MyProxy] (OA4MP) | + | [http://grid.ncsa.illinois.edu/myproxy/oauth/ OAuth for MyProxy] (OA4MP) implements the [http://goo.gl/VnMKXS OIDC/OA4MP Protocol], which is an extension of the [http://openid.net/specs/openid-connect-core-1_0.html OpenID Connect] specification. The modifications introduced by OA4MP include the [http://goo.gl/VnMKXS#h.3khs91kr9igo GetCert Endpoint] which is used by the OA4MP Client (e.g. a Science Gateway) to retrieve an End Entity Certificate (EEC) on behalf of the authenticated user. Typical workflows usually do not directly make use of EECs but use instead [https://tools.ietf.org/html/rfc3820 RFC3820] Proxy Certificates. Proxy Certificates, usually having a shorter lifetime than EECs, are less likely to be used maliciously given their short validity period, while still conveying the same authentication information as an EEC would. Moreover, a Proxy Certificate can contain additional authorization information in the form of VOMS Extensions. |
We propose adding a GetProxy Endpoint into the OIDC/OA4MP Protocol, which returns Proxy Certificates. The main differences between the GetProxy and GetCert Endpoint are: | We propose adding a GetProxy Endpoint into the OIDC/OA4MP Protocol, which returns Proxy Certificates. The main differences between the GetProxy and GetCert Endpoint are: | ||
| − | * returns Proxy | + | * returns RFC3820 Proxy Certificate chain |
| − | * generates CSR on server side instead of client side | + | * generates keypair and CSR on server side instead of client side |
* accepts VONAME and VOMSES parameters | * accepts VONAME and VOMSES parameters | ||
