OAuth for MyProxy GetProxy Endpoint

From PDP/Grid Wiki
Revision as of 23:39, 7 January 2016 by Tamasb@nikhef.nl (talk | contribs) (protocol start)
Jump to navigationJump to search

OAuth for MyProxy (OA4MP) is based around the OIDC/OA4MP Protocol, which is a modified version of OpenID Connect. The modifications introduced by OA4MP include the GetCert Endpoint which is used by the OA4MP Client (ex. Science Gateway) to retrieve an End Entity Certificate (EEC) on behalf of the authenticated user. In certain scenarios the use of EECs can be replaced by Proxy Certificates. Proxy Certificates, usually having a shorter lifetime than EECs, are less likely to be used maliciously given their short validity period, while still conveying the same authentication information as an EEC would. Moreover, a Proxy Certificate can contain additional authorization information in the form of VOMS Extensions.

We propose adding a GetProxy Endpoint into the OIDC/OA4MP Protocol, which returns Proxy Certificates. The main differences between the GetProxy and GetCert Endpoint are:

  • returns Proxy Certificates
  • generates CSR on server side instead of client side
  • accepts VONAME and VOMSES parameters

Protocol Specification

Name Required Description
client_id REQUIRED if not provided in

HTTP Basic Authorization header

The client identifier issued at registration time.
client_secret REQUIRED if not provided in

HTTP Basic Authorization header

The client secret issued at registration time.