Difference between revisions of "OAuth for MyProxy GetProxy Endpoint"

From PDP/Grid Wiki
Jump to navigationJump to search
(protocol start)
(protocol specification doneish)
Line 9: Line 9:
 
== Protocol Specification ==
 
== Protocol Specification ==
  
{| class="wikitable"
+
The GetProxy Endpoint, just like the GetCert Endpoint is an OAuth2.0 protected resource that returns a proxy certificate. This proxy certificate consists of a certificate chain and private key of the proxy. The request made to the GetProxy Endpoint is made up of the following parameters:
 +
 
 +
{| class="wikitable" style="width: 55%;"
 
|-
 
|-
|Name  
+
| style="width: 25%;" | Name  
|Required  
+
| style="width: 33%;" |Required  
|Description
+
| Description
 +
 
 
|-
 
|-
|client_id
+
| style="width: 25%;" | client_id
|REQUIRED if not provided in
+
| style="width: 33%;" |REQUIRED if not provided in <br />HTTP Basic Authorization header
HTTP Basic Authorization header
+
| The client identifier issued at registration time.
|The client identifier issued at registration time.
+
 
 
|-
 
|-
|client_secret
+
| style="width: 25%;" |client_secret
|REQUIRED if not provided in  
+
| style="width: 33%;" |REQUIRED if not provided in <br />HTTP Basic Authorization header  
HTTP Basic Authorization header  
+
| The client secret issued at registration time.
|The client secret issued at registration time.
+
 
 +
|-
 +
| style="width: 25%;" |access_token
 +
| style="width: 33%;" |REQUIRED
 +
| OIDC (OAuth 2.0) access token obtained with token request. Provided in �Authorization: Bearer� header or as form value.
 +
 
 +
|-
 +
| style="width: 25%;" |proxylifetime
 +
| style="width: 33%;" |OPTIONAL
 +
| Requested proxy lifetime (in seconds). In case this value exceeds the server side default, the request parameter is ignored.
 +
 
 +
|-
 +
| style="width: 25%;" |voname
 +
| style="width: 33%;" |OPTIONAL
 +
| Specifies one or more VO to connect to for membership information. The VO name can be followed by additional group and role request. (see 'man voms-proxy-init' under -voms)
 +
 
 +
|-
 +
| style="width: 25%;" |vomses
 +
| style="width: 33%;" |OPTIONAL
 +
| Specifies VOMS server information under 'vomses' file format
 +
 
 
|}
 
|}
 +
 +
Just like in case of GetCert, the access_token, client_id and client_secret parameters are there to ensure the authenticity of the request. Note that the 'certreq' parameter, containing the Certificate Signing Request (CSR), is no longer sent along in the request. Instead, a new keypair and CSR are created on the server side and used in the subsequent MyProxy GET request. The motivation behind this change is to take the burden of key generation off the OA4MP Client, thus making it more lighweight and easily adaptable by different communities.
 +
 +
Requesting a VOMS Proxy Certificate can be done by using the 'voname' and 'vomses' request parameters. These parameters are passed as they are to the subsequent [http://grid.ncsa.illinois.edu/myproxy/protocol/ MyProxy GET] request.
 +
 +
'''Note:''' The VOMSES string is useful in scenarios where the user would like to get membership information from a VOMS server which is not configured in the backend MyProxy Server 'vomses' file.
 +
 +
=== Example Request ===
 +
 +
POST Example
 +
 +
POST /getcert HTTP/1.1
 +
Host: myproxy.example.edu
 +
Content-Type: application/x-www-form-urlencoded
 +
 +
client_id=s6BhdRkqt3&client_secret=some_secret12345&access_token=8xLOxBtZp8&proxylifetime=43200&
 +
voname=superscience&vomses=%22testvo%22%20%22voms.example.edu%22%20%2215000%22%20%22%2FC%3DXX%2FO%3DExample%2FCN%3Dmyproxy.example.edu%22%20%22testvo%22
 +
 +
curl --capath /etc/grid-security/certificates/  -H "Host: myproxy.example.edu" -H "Content-Type: application/x-www-form-urlencoded" -X POST -d \
 +
      'client_id=s6BhdRkqt3&client_secret=some_secret12345&access_token=8xLOxBtZp8&proxylifetime=43200&
 +
      voname=superscience&vomses="testvo" "voms.example.edu" "15000" "/C=XX/O=Example/CN=myproxy.example.edu" "testvo"' \
 +
      https://myproxy.example.edu/oauth2/getproxy
 +
 +
=== Example Response ===
 +
 +
In case of a successful request the body of the response message contains the Proxy Certificate in PEM format. The first certificate in the chain is the proxy followed by its private key, and the rest of the chain.
 +
 +
HTTP/1.1 200 OK
 +
Content-Type: text/plain
 +
 +
-----BEGIN CERTIFICATE-----
 +
MIIJ+DCCCOCgAwIBAgIEWVmVpjANBgkqhkiG9w0BAQsFADBVMQ0wCwYDVQQKEwRHcmlkMRMwEQYD
 +
VQQLEwpHbG9idXNUZXN0MRwwGgYDVQQDFhNkdW1teUBteS1kb21haW4uY29tMREwDwYDVQQDEwg3
 +
...
 +
BvjdU/+9xSlBnFm7v2thFcqienTP6cY/iCQPDzT9wv/fdv/DToy9oN0BrtYievZjZOLcjsczMD5M
 +
KXOr/StOe+qDtT6CXwpzGNE4QJYTl8yoQguZaSsGxgP2PDPS0G0dLGTv8YvG3Fle
 +
-----END CERTIFICATE-----
 +
-----BEGIN PRIVATE KEY-----
 +
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCAIZ9nkUddKLznkHuda9yRxPP5
 +
j2JO9U0CFmr4EmKjvza8BstyndksT235zODXIs3wVVYqxxMqH4J9181MlCxs8f7GXRlgDlY3oSa/
 +
...
 +
eM7xUIqehh+Yy01oKEcSNE3ykvySXxp7JBvREhNCaObxpMhi0JAMaAJ0atf9e8E/DFOccy6P9McZ
 +
ysKQufEOgePsck/OrFEDmGqs+bA=
 +
-----END PRIVATE KEY-----
 +
-----BEGIN CERTIFICATE-----
 +
MIIDQjCCAiygAwIBAgIEBE72YDALBgkqhkiG9w0BAQswQjENMAsGA1UEChMER3JpZDETMBEGA1UE
 +
CxMKR2xvYnVzVGVzdDEcMBoGA1UEAxYTZHVtbXlAbXktZG9tYWluLmNvbTAeFw0xNjAxMDYxNTAx
 +
...
 +
XZxr1zbbcPnol8vETpTiRvW3I8ms3PBwgWXE4xIbN8Myng7UgPjasv+JOykx+3UIVD1FblZAXdnH
 +
fBJa7cu/xGomko+7i0opoQewaRcPLmGbL6xVuW3MERwIPfiKqsz+4w==
 +
-----END CERTIFICATE-----
 +
-----BEGIN CERTIFICATE-----
 +
MIICnjCCAgegAwIBAgICAMEwDQYJKoZIhvcNAQELBQAwTzENMAsGA1UEChMER3JpZDETMBEGA1UE
 +
CxMKR2xvYnVzVGVzdDEpMCcGA1UEAxMgR2xvYnVzIFNpbXBsZSBDQSBmb3IgRGVtbyBQb3J0YWww
 +
...
 +
IACngeT/1vXoC/2s03B9dwK4s/pBs7EVG/9kf5Wlew3IVwtcqTI2kDXUPiLey+ro37Qct5htseft
 +
E2TwLFzbCOo9wI/6cCu7uSOyxGwVlk+rvTfJFsaAmYOMeQuytQCTRy9loFNz6Hk=
 +
-----END CERTIFICATE-----

Revision as of 11:26, 8 January 2016