Difference between revisions of "OAuth for MyProxy GetProxy Endpoint"

From PDP/Grid Wiki
Jump to navigationJump to search
(fixed broken OIDC/OA4MP spec link)
(myproxy server (first half))
Line 123: Line 123:
 
==== Client ====
 
==== Client ====
  
The OA4MP Client has to be able to distinguish between cases of requesting an EEC through GetCert and requestion a proxy through GetProxy, since the backend [[#Server|Server]] is configured to provide one '''OR''' the other (EEC or Proxy), '''not both'''. This is done with the use of a new [http://grid.ncsa.illinois.edu/myproxy/oauth/client/manuals/parameters.xhtml#tags OA4MP Client configuration] parameter called 'requestProxies'.  
+
The OA4MP Client has to be able to distinguish between cases of requesting an EEC through GetCert and requesting a proxy through GetProxy, since the backend [[#Server|Server]] is configured to provide one '''OR''' the other (EEC or Proxy), '''not both'''. This is done with the use of a new [http://grid.ncsa.illinois.edu/myproxy/oauth/client/manuals/parameters.xhtml#tags OA4MP Client configuration] parameter called 'requestProxies'.  
  
 
{| class="wikitable" style="width: 55%;"
 
{| class="wikitable" style="width: 55%;"
Line 148: Line 148:
 
  </client>
 
  </client>
  
By setting this configuration to '''true''' a GetProxy Endpoint aware ''OA2MPProxyService'' object will be returned to client servlets instead of a ''OA2MPService'' object. The servlet can then request a proxy by calling the ''getProxy(OA2Asset a, ATResponse2 atResponse2)'' method of the returned object. The [[#Example Request|GetProxy request]] is build internally the clients' ID, secret and the current transactions' access token. User input (voname and vomses) should be provided to this method via the ''OA2Asset'' parameter. The proxylifetime parameter is taken from the 'lifetime' client configuration.
+
By setting this configuration to '''true''' a GetProxy Endpoint aware ''OA2MPProxyService'' object will be returned to client servlets instead of a ''OA2MPService'' object. The servlet can then request a proxy by calling the ''getProxy(OA2Asset a, ATResponse2 atResponse2)'' method of the returned object. The [[#Example Request|GetProxy request]] is build internally using the clients' ID, secret and the current transactions' access token. User input (voname and vomses) should be provided to this method via the ''OA2Asset'' parameter. The proxylifetime parameter is taken from the 'lifetime' client configuration.
  
 
==== Server ====
 
==== Server ====
  
 +
The OA4MP Server has both GetCert and GetProxy Endpoints available at the same time, but the MyProxy Server in its backend can only be configured to return '''either''' EEC '''or''' Proxy Certificate. Therefore caution must be taken to only expose the GetProxy Endpoint in case the backend MyProxy is configured to issue Proxy Certificates, otherwise you will end up getting EECs from the GetProxy Endpoint instead of the desired proxy.
  
 +
'''Note:''' Do not use the GetProxy Endpoint when the backend MyProxy Server is configured as a CA issuing End Entity Certificates!
 +
 +
The implementation of the GetProxy servlet is done in ''OA2ProxyServlet''. A successful GetProxy request will execute the following flow in the servlet:
 +
 +
[[File:Getproxy_servlet_seq.svg? ]]
 +
 +
* Step 1 : As mentioned above, the key and CSR generation has been moved away from the OA4MP Client into the Server. The ''verifyAndGet'' method creates a new keypair and saves the resulting private key and CSR into the transaction. The proxylifetime, voname and vomses are also stripped off here from the request and saved in the transaction.
 +
 +
* Step 2 : The ''checkMPConnection'' method initiates a new MyProxy connection
 +
 +
* Step 3 : The ''getX509Certificates'' method inserts the proxylifetime, voname and vomses values into the MyProxy connection after which proceeds to execute a MyProxy GET command, returning the certificate chain created.
 +
 +
* Step 4 : The ''preprocess'' method is called before the resulting certificate chain is written out into the response buffer. Here, the ''MyX509Certificates'' holding only the certificate chain is swapped out to a ''MyX509Proxy'' object containing the same certificate chain, together with the private key from the transaction (saved in Step 1).
  
 
=== ncsa.security.all ===
 
=== ncsa.security.all ===

Revision as of 13:55, 12 January 2016