Difference between revisions of "OAuth for MyProxy GetProxy Endpoint"

From PDP/Grid Wiki
Jump to navigationJump to search
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
[http://grid.ncsa.illinois.edu/myproxy/oauth/ OAuth for MyProxy] (OA4MP) implements the [http://goo.gl/VnMKXS OIDC/OA4MP Protocol], which is an extension of the [http://openid.net/specs/openid-connect-core-1_0.html OpenID Connect] specification. The modifications introduced by OA4MP include the [http://goo.gl/VnMKXS#h.3khs91kr9igo GetCert Endpoint] which is used by the OA4MP Client (e.g. a Science Gateway) to retrieve an End Entity Certificate (EEC) on behalf of the authenticated user. Typical workflows usually do not directly make use of EECs but use instead [https://tools.ietf.org/html/rfc3820 RFC3820] Proxy Certificates. Proxy Certificates, usually having a shorter lifetime than EECs, are less likely to be used maliciously given their short validity period, while still conveying the same authentication information as an EEC would. Moreover, a Proxy Certificate can contain additional authorization information in the form of VOMS Extensions.   
+
[http://grid.ncsa.illinois.edu/myproxy/oauth/ OAuth for MyProxy] (OA4MP) implements the [http://goo.gl/VnMKXS OIDC/OA4MP Protocol], which is an extension of the [http://openid.net/specs/openid-connect-core-1_0.html OpenID Connect] specification. The modifications introduced by OA4MP on top of OIDC include the [http://goo.gl/VnMKXS#h.3khs91kr9igo GetCert Endpoint] which is used by the OA4MP Client (e.g. a Science Gateway) to retrieve an End Entity Certificate (EEC) on behalf of the authenticated user. Typical workflows on the other hand usually do not directly make use of EECs, but instead use [https://tools.ietf.org/html/rfc3820 RFC3820] Proxy Certificates.<br>
 +
Proxy Certificates, usually having a shorter lifetime than EECs, are less likely to be used maliciously given their short validity period, while still conveying the same authentication information as an EEC would. Moreover, a Proxy Certificate can contain additional authorization information in the form of VOMS Extensions.   
  
We propose adding a GetProxy Endpoint into the OIDC/OA4MP Protocol, which returns Proxy Certificates. The main differences between the GetProxy and GetCert Endpoint are:
+
The AARC-developed MasterPortal therefore adds a GetProxy Endpoint to the OIDC/OA4MP Protocol, which directly returns Proxy certificate chains to its clients. The main differences between the GetProxy and GetCert Endpoint are:
  
* returns RFC3820 Proxy Certificate chain
+
* return RFC3820 Proxy Certificate chain
 
* generates keypair and CSR on server side instead of client side
 
* generates keypair and CSR on server side instead of client side
 
* accepts VONAME and VOMSES parameters  
 
* accepts VONAME and VOMSES parameters  
 +
 +
For the ''technical implementation details'' of the Getproxy Endpoint, see [[OAuth_for_MyProxy_GetProxy_Endpoint_-_Implementation | here]].
  
 
== Protocol Specification ==
 
== Protocol Specification ==
Line 49: Line 52:
 
|}
 
|}
  
Just as for the GetCert endpoint, the access_token, client_id and client_secret parameters are there to ensure the authenticity of the request. Note that the 'certreq' parameter, containing the Certificate Signing Request (CSR), is not required. Instead, a new keypair and CSR are created on the server side and used in the subsequent MyProxy GET request. The motivation behind this change is to take the burden of key generation off the OA4MP Client, thus making it more lightweight and easier to adopt by different communities.
+
Just as for the GetCert endpoint, the access_token, client_id and client_secret parameters are there to ensure the authenticity of the request. Note that the 'certreq' parameter (of the getcert request), containing the Certificate Signing Request (CSR), is not required. Instead, a new keypair and CSR are created on the server side and used in the subsequent MyProxy GET request. The motivation behind this change is to take the burden of key generation away from the OA4MP Client, thus making it more lightweight and easier to adopt by different communities.
  
 
Requesting a VOMS Proxy Certificate can be done by using the 'voname' and 'vomses' request parameters. These parameters are passed as-is to the [http://grid.ncsa.illinois.edu/myproxy/protocol/ MyProxy GET] request executed by the MasterPortal.
 
Requesting a VOMS Proxy Certificate can be done by using the 'voname' and 'vomses' request parameters. These parameters are passed as-is to the [http://grid.ncsa.illinois.edu/myproxy/protocol/ MyProxy GET] request executed by the MasterPortal.
  
'''Note:''' The VOMSES string is useful in scenarios where the user would like to get membership information from a VOMS server which is not configured locally in the back-end MyProxy Server (in its 'vomses' file, see 'man myproxy-server.config' under 'voms_userconf').
+
'''Note:''' The VOMSES string is useful in scenarios where the client would like to make use of a VOMS server which is not configured locally in the back-end MyProxy Server (in its 'vomses' file, see 'man myproxy-server.config' under 'voms_userconf').
  
 
=== Example Request ===
 
=== Example Request ===
Line 60: Line 63:
  
 
  POST /getproxy HTTP/1.1
 
  POST /getproxy HTTP/1.1
  Host: myproxy.example.edu
+
  Host: masterportal.example.edu
 
  Content-Type: application/x-www-form-urlencoded
 
  Content-Type: application/x-www-form-urlencoded
 
   
 
   
Line 66: Line 69:
 
  voname=superscience&vomses=%22testvo%22%20%22voms.example.edu%22%20%2215000%22%20%22%2FC%3DXX%2FO%3DExample%2FCN%3Dmyproxy.example.edu%22%20%22testvo%22
 
  voname=superscience&vomses=%22testvo%22%20%22voms.example.edu%22%20%2215000%22%20%22%2FC%3DXX%2FO%3DExample%2FCN%3Dmyproxy.example.edu%22%20%22testvo%22
  
  curl --capath /etc/grid-security/certificates/ -H "Host: myproxy.example.edu" -H "Content-Type: application/x-www-form-urlencoded" -X POST -d \
+
  curl --capath /etc/grid-security/certificates/ -d \
 
       'client_id=s6BhdRkqt3&client_secret=some_secret12345&access_token=8xLOxBtZp8&proxylifetime=43200&
 
       'client_id=s6BhdRkqt3&client_secret=some_secret12345&access_token=8xLOxBtZp8&proxylifetime=43200&
       voname=superscience&vomses="testvo" "voms.example.edu" "15000" "/C=XX/O=Example/CN=myproxy.example.edu" "testvo"' \  
+
       voname=superscience&vomses="testvo" "voms.example.edu" "15000" "/C=XX/O=Example/CN=myproxy.example.edu" "testvo"' \
      https://myproxy.example.edu/oauth2/getproxy
+
      https://masterportal.example.edu/oauth2/getproxy
  
 
=== Example Response ===
 
=== Example Response ===
Line 116: Line 119:
  
 
=== Example client code ===
 
=== Example client code ===
For example code, see [https://rcdemo.nikhef.nl/demobasic/oidc_getproxy_demo.php this simple PHP script], which shows how the <tt>/getproxy</tt> endpoint can be used to obtain a valid proxy certificate.
 
 
== Implementation Details ==
 
 
The implementation of the GetProxy Endpoint has been separated from the Master Portal OA4MP extension because it was found to be much easier to modify existing OA4MP code than to extend it. This basically means that for the purpose of implementing this endpoint we forked OA4MP. This custom OA4MP having the GetProxy Endpoint implemented can be found under the RCauth forks of the [https://github.com/rcauth-eu/OA4MP OA4MP] and [https://github.com/rcauth-eu/security-lib security-lib] projects. The separation of the two codebases is inherited from the original OA4MP implementation.
 
 
=== OA4MP ===
 
 
==== Client ====
 
 
The OA4MP Client has to be able to distinguish between cases of requesting an EEC through GetCert and requesting a proxy through GetProxy, since the backend [[#Server|Server]] is configured to provide one '''OR''' the other (EEC or Proxy), '''not both'''. This is done with the use of a new [http://grid.ncsa.illinois.edu/myproxy/oauth/client/manuals/parameters.xhtml#tags OA4MP Client configuration] parameter called 'requestProxies'.
 
 
{| class="wikitable" style="width: 55%;"
 
|-
 
|
 
| Required?
 
| Default
 
| Description
 
 
|-
 
| requestProxies
 
| N
 
| false
 
| Enables making requests to the GetProxy Endpoint
 
 
|}
 
 
Configuration example:
 
 
<client name="client-config" address="https://portal.example.edu/portal">
 
    ...
 
          <requestProxies>true</requestProxies>
 
    ...
 
</client>
 
 
By setting this configuration to '''true''' a GetProxy Endpoint aware ''OA2MPProxyService'' object will be returned to client servlets instead of a ''OA2MPService'' object. The servlet can then request a proxy by calling the ''getProxy(OA2Asset a, ATResponse2 atResponse2)'' method of the returned object. The [[#Example Request|GetProxy request]] is build internally using the clients' ID, secret and the current transactions' access token. User input (voname and vomses) should be provided to this method via the ''OA2Asset'' parameter. The proxylifetime parameter is taken from the 'lifetime' client configuration.
 
 
==== Server ====
 
 
The OA4MP Server has both GetCert and GetProxy Endpoints available at the same time, but the MyProxy Server in its backend can only be configured to return '''either''' EEC '''or''' Proxy Certificate.
 
 
'''Note:''' Do NOT use the GetProxy Endpoint when the backend MyProxy Server is configured in [http://grid.ncsa.illinois.edu/myproxy/ca/ CA mode] issuing End Entity Certificates! You will end up receiving EEC from the GetProxy Endpoint.
 
 
The implementation of the GetProxy servlet is done in ''OA2ProxyServlet''. A successful GetProxy request will execute the following flow in the servlet:
 
 
[[File:Getproxy_servlet_seq.svg]]
 
 
* Step 1 : As mentioned above, the key and CSR generation has been moved away from the OA4MP Client into the Server. The ''verifyAndGet'' method creates a new keypair and saves the resulting private key and CSR into the transaction. The proxylifetime, voname and vomses are stripped off from the request and saved in the transaction.
 
 
* Step 2 : The ''checkMPConnection'' method initiates a new MyProxy connection
 
 
* Step 3 : The ''getX509Certificates'' method inserts the proxylifetime, voname and vomses values into the MyProxy connection after which proceeds to execute a MyProxy GET command, returning the certificate chain created.
 
 
* Step 4 : The ''preprocess'' method is called before the resulting certificate chain is written out into the response buffer. Here, the ''MyX509Certificates'' holding only the certificate chain is swapped out to a ''MyX509Proxy'' object containing the same certificate chain, together with the private key from the transaction (saved in Step 1).
 
 
=== security-lib ===
 
 
The '''OA4MP''' project builds on top of the '''security-lib''' project, and therefore some of the modified code logically belongs into this project.
 
 
[[File:Ncsa-uml.svg | 1000px]]
 
 
The original OA4MP uses ''MyX509Certificates'' as a container to transmit and receive certificate chains. With the extension of GetProxy Endpoint, this container class is no longer sufficient to transmit proxies around, because it cannot hold the proxy's private key. A new container under the name of ''MyX509Proxy'' has been implemented which extends ''MyX509Certificates''.
 
 
The ''ProxyUtil'' class holds a set of static methods used for proxy transformation and generation. This class works with the aid of a newly introduced dependency: [https://github.com/eu-emi/canl-java/ canl-java]. At the time of this writing the canl version integrated was version [http://search.maven.org/#artifactdetails|eu.eu-emi.security|canl|2.2.0|jar 2.2.0].
 
  
A new request server called ''PPServer2'' (Protected Proxy Server 2) has been added after the model of ''PAServer2'' used for GetCert Requests. The new ''PPServer2'' class sets [[#Protocol Specification | GetProxy request parameters]] and creates a ''MyX509Proxy'' out of the response.
+
For example code, see this [https://rcdemo.nikhef.nl/demobasic/ simple PHP demonstrator], which shows how the <tt>/getproxy</tt> endpoint can be used to obtain a valid proxy certificate.

Revision as of 09:11, 5 September 2019