OAuth for MyProxy GetProxy Endpoint
OAuth for MyProxy (OA4MP) is based around the OIDC/OA4MP Protocol, which is a modified version of OpenID Connect. The modifications introduced by OA4MP include the GetCert Endpoint which is used by the OA4MP Client (ex. Science Gateway) to retrieve an End Entity Certificate (EEC) on behalf of the authenticated user. In certain scenarios the use of EECs can be replaced by Proxy Certificates. Proxy Certificates, usually having a shorter lifetime than EECs, are less likely to be used maliciously given their short validity period, while still conveying the same authentication information as an EEC would. Moreover, a Proxy Certificate can contain additional authorization information in the form of VOMS Extensions.
We propose adding a GetProxy Endpoint into the OIDC/OA4MP Protocol, which returns Proxy Certificates. The main differences between the GetProxy and GetCert Endpoint are:
- returns Proxy Certificates
- generates CSR on server side instead of client side
- accepts VONAME and VOMSES parameters