Difference between revisions of "OAuth for MyProxy GetProxy Endpoint"

From PDP/Grid Wiki
Jump to navigationJump to search
(client impl)
(fixed broken OIDC/OA4MP spec link)
Line 1: Line 1:
[http://grid.ncsa.illinois.edu/myproxy/oauth/ OAuth for MyProxy] (OA4MP) is based around the [https://docs.google.com/document/d/1cs3peO9FxA81KN-1RC6Z-auEFIwRbJpZ-SFuKbQzS50 OIDC/OA4MP Protocol], which is a modified version of [http://openid.net/specs/openid-connect-core-1_0.html OpenID Connect]. The modifications introduced by OA4MP include the [https://docs.google.com/document/d/1cs3peO9FxA81KN-1RC6Z-auEFIwRbJpZ-SFuKbQzS50/pub#h.3khs91kr9igo GetCert Endpoint] which is used by the OA4MP Client (ex. Science Gateway) to retrieve an End Entity Certificate (EEC) on behalf of the authenticated user. In certain scenarios the use of EECs can be replaced by Proxy Certificates. Proxy Certificates, usually having a shorter lifetime than EECs, are less likely to be used maliciously given their short validity period, while still conveying the same authentication information as an EEC would. Moreover, a Proxy Certificate can contain additional authorization information in the form of VOMS Extensions.   
+
[http://grid.ncsa.illinois.edu/myproxy/oauth/ OAuth for MyProxy] (OA4MP) is based around the [https://docs.google.com/document/d/1cs3peO9FxA81KN-1RC6Z-auEFIwRbJpZ-SFuKbQzS50/pub OIDC/OA4MP Protocol], which is a modified version of [http://openid.net/specs/openid-connect-core-1_0.html OpenID Connect]. The modifications introduced by OA4MP include the [https://docs.google.com/document/d/1cs3peO9FxA81KN-1RC6Z-auEFIwRbJpZ-SFuKbQzS50/pub#h.3khs91kr9igo GetCert Endpoint] which is used by the OA4MP Client (ex. Science Gateway) to retrieve an End Entity Certificate (EEC) on behalf of the authenticated user. In certain scenarios the use of EECs can be replaced by Proxy Certificates. Proxy Certificates, usually having a shorter lifetime than EECs, are less likely to be used maliciously given their short validity period, while still conveying the same authentication information as an EEC would. Moreover, a Proxy Certificate can contain additional authorization information in the form of VOMS Extensions.   
  
 
We propose adding a GetProxy Endpoint into the OIDC/OA4MP Protocol, which returns Proxy Certificates. The main differences between the GetProxy and GetCert Endpoint are:
 
We propose adding a GetProxy Endpoint into the OIDC/OA4MP Protocol, which returns Proxy Certificates. The main differences between the GetProxy and GetCert Endpoint are:

Revision as of 14:11, 11 January 2016

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=OAuth_for_MyProxy_GetProxy_Endpoint&oldid=9866"