OAuth for MyProxy
 Protocol Specification

Version 1.0 (March 2012)

Short URL: https://goo.gl/apSiUB

Jim Basney <jbasney@illinois.edu>
Jeff Gaynor <
gaynor@illinois.edu>

Table of Contents

OAuth Endpoints

Sequence Diagram

OAuth Signature Method

Message Specification

Temporary Credential Request: Request

Temporary Credential Request: Response

Resource Owner Authorization

Callback

Token Request

Token Request: Response

Get Certificate: Request

Get Certificate: Response

Revision History

OAuth Endpoints

In the below Endpoint URLs, replace myproxy.example.edu with the fully-qualified domain name of the OAuth for MyProxy server.

Description

Default Endpoint URL

Temporary Credential Request

https://myproxy.example.edu/oauth/initiate

Resource Owner Authorization

https://myproxy.example.edu/oauth/authorize

Token Request

https://myproxy.example.edu/oauth/token

Resource Request

https://myproxy.example.edu/oauth/getcert

Client Registration

https://myproxy.example.edu/oauth/register

Sequence Diagram

OAuth Signature Method

The OAuth signature method is "RSA-SHA1" per RFC 5849 Section 3.4.3.

Message Specification

All messages MUST be sent using HTTP Over TLS (HTTPS) per RFC 2818.

All OAuth protocol parameters MUST be transmitted via HTTP request URI query according to RFC 5849 Section 3.5.3 (i.e., URL encoded).

Temporary Credential Request: Request

Source: OAuth client

Target: OAuth server

Request: HTTPS GET to https://myproxy.example.edu/oauth/initiate

Note: Parameters may be in any order. Parameters not in the following table will be returned unaltered in the response. A request with duplicate parameters keys will be rejected. All parameters will be escaped as per the OAuth specification.

Parameter key

Parameter values

Comment

oauth_signature_method

RSA-SHA1

Any other value is unsupported.

oauth_signature

computed signature

This is computed by the oauth library.

oauth_timestamp

current time in ms

This is computed by the oauth library.

oauth_nonce

integer value

This is computed by the oauth library.

oauth_version

1.0

This indicates OAuth 1.0 (RFC 5849).

oauth_consumer_key

string

Previously registered string that identifies the OAuth client.

oauth_callback

any valid HTTPS URL

The address to which the OAuth server will redirect the user’s browser if authentication and authorization succeed. It MUST be HTTPS, not HTTP.

certlifetime

integer value

An optional parameter specifying a requested lifetime (in seconds) for the certificate to be issued in the final “getcert” call.

certreq

Base64 encoding of DER format PKCS#10 certificate request

This is the certificate request generated by the OAuth client for signing by the OAuth server. It MUST contain a 2048 bit RSA key. The signed certificate is returned in the final “getcert” call.

Example: 

https://myproxy.example.edu/oauth/initiate?oauth_consumer_key=dpf43f3p2l4k3l03&oauth_signature=74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D&oauth_signature_method=RSA-SHA1&oauth_callback=https://portal.example.edu/oauth/ready&oauth_timestamp=1273168086&oauth_nonce=8728518267508&oauth_version=1.0&certlifetime=950400&certreq=MIICVDCCATwCAQAwETEPMA0GA1UEAxMGaWdub3JlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB%0ACgKCAQEAhUKrBs9%2B1GLUmfWjluNZVjud7%2Fnin0sdmOYQHB2a2pBqdSQ3hG2wG0x9%2FNsst9AGiQ%2Fh%0AQ1LoR4uOARyBd8d5cJ7UOwN%2BtktkMovLgM4GcnCkVPsUEcA7ZrbbCLWzfTgU25PuCdrlFF8xaahX%0AvR%2Bivcs%2FKKjAV4UCTNI9ft%2Bwxg%2FE5JbQGpQZrIi8o%2B79MwzgdxvJfFVg0ZBDzNEB%2F7n10TYSW0Ez%0AxmJABK6EouuaVmZCmLxoVfpwrn1%2BgfJPAPCWb27CXMCKt5zHmBKG7LbKD3hJhyZ25MzZEu4R67eT%0AAEVuy5MaydhcW8rP%2FszGwZ5r%2B%2BtCFSCmNet9bwmaZkdlsQIDAQABMA0GCSqGSIb3DQEBBQUAA4IB%0AAQBTu7r3D%2BUMHnb6JPyTdADmep%2BxBFI21wS6Z5rckvCAzAZSlcRxfGGZhrdgoOgfbE80FP1lhn1%2B%0Agvm13ku%2B4kCc1I8r7FwIOs7vCd2g%2B6gus%2BvgBM0hCxfuyNvRzbLtMbudj%2BPOReQMf0Y6%2Bng89DmW%0AXtm2J6ZmpaQx3fNmJ8KFtuZdzdIjQhMg6772fKTDNOvThhtrXnch%2FWt%2BTg4jES0vWzFLL4OgFbdl%0ADQX1HZXIoCjk%2BnVwTsPwm8E55p3qHKQ6fIMn0%2BCPBjz%2F6PiqxpquR9kOkqLNAXnbCOb5XwMTM26P%0AC5WtKkEnFKAdCIDAS0Uv34fwZ%2BO7fHy2eestubpf

Temporary Credential Request: Response

Description: This is a standard HTTP response with code 200. Any other return code is to be treated as an error by the portal. The body of the response consists of a parameter list encoded as type application/x-www-form-urlencoded.

Source: OAuth server

Target: OAuth client

Body of response: oauth_token=value&oauth_callback_confirmed=true

Parameter key

Parameter value

Comment

oauth_token

string

The OAuth temporary credentials identifier.

oauth_callback_confirmed

true

Required for OAuth compliance.

Example: 

HTTP/1.1 200 OK

Content-Type: application/x-www-form-urlencoded

oauth_token=hh5s93j4hdidpola&oauth_callback_confirmed=true

Note: The OAuth client must store the oauth_token for use in later messages. Because we are using the RSA-SHA1 method, no oauth_token_secret (shared secret) parameter is needed.

Resource Owner Authorization

Description: This standard HTTP response from the OAuth client to the user’s browser redirects the user’s browser to the OAuth server for authorization.

Source: OAuth client

Target: OAuth server

Access: HTTPS GET to https://myproxy.example.edu/oauth/authorize

Parameter key

Parameter value

Comment

oauth_token

string

The OAuth temporary credentials identifier.

Example: An example redirect URL is https://myproxy.example.edu/oauth/authorize?oauth_token=hh5s93j4hdidpola

Callback

Description: Redirect user’s browser to the client's callback URL that was specified in the temporary credential request.

Source: OAuth server

Target: OAuth client

Request: HTTPS GET to specified callback URL

Parameter key

Parameter value

Comment

oauth_token

string

The OAuth temporary credentials identifier.

oauth_verifier

string

This new verification code is generated by the OAuth server.

Example:

https://portal.example.edu/oauth/ready?oauth_token=hdk48Djdsa&oauth_verifier=hfdp7dh39dks9884

Token Request

Description: The OAuth client must exchange the now valid temporary credential for an access token.

Source: OAuth client

Target: OAuth server

Access: HTTPS GET to https://myproxy.example.edu/oauth/token

Parameter key

Parameter value

Comment

oauth_consumer_key

string

Previously registered string that identifies the OAuth client.

oauth_token

string

The OAuth temporary credentials identifier.

oauth_verifier

string

The verification code obtained from the callback.

oauth_signature_method

RSA-SHA1

Any other value is unsupported.

oauth_signature

computed signature

This is computed by the oauth library.

oauth_timestamp

current time in ms

This is computed by the oauth library.

oauth_nonce

integer value

This is computed by the oauth library.

oauth_version

string

This is currently equal to "1.0" to indicate OAuth 1.0.

Example: 

https://myproxy.example.edu/oauth/token?oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=hdk48Djdsa&oauth_verifier=hfdp7dh39dks9884&oauth_signature=74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D&oauth_signature_method=RSA-SHA1&oauth_timestamp=1273168086&oauth_nonce=8728518267508&oauth_version=1.0

Token Request: Response

Description: This is a standard HTTP response with code 200. Any other return code is to be treated as an error by the portal. The body of the response consists of a parameter list encoded as type application/x-www-form-urlencoded.

Source: OAuth server

Target: OAuth client

Body of response: oauth_token=value

Parameter key

Parameter value

Comment

oauth_token

string

The OAuth access token identifier.

Example: 

HTTP/1.1 200 OK

Content-Type: application/x-www-form-urlencoded

oauth_token=hh5s93j4hdidpola

Note: The OAuth client must store the oauth_token for use in later messages. Because we are using the RSA-SHA1 method, no oauth_token_secret (shared secret) parameter is needed.

Get Certificate: Request

Description: The OAuth client obtains the signed certificate.

Source: OAuth client

Target: OAuth server

Access: HTTPS GET to https://myproxy.example.edu/oauth/getcert

Parameter key

Parameter value

Comment

oauth_token

string

The OAuth access token identifier obtained in the Token Request.

oauth_consumer_key

string

Previously registered string that identifies the OAuth client.

oauth_signature_method

RSA-SHA1

Any other value is unsupported.

oauth_signature

computed signature

This is computed by the oauth library.

oauth_timestamp

current time in ms

This is computed by the oauth library.

oauth_nonce

integer value

This is computed by the oauth library.

oauth_version

string

This is currently equal to "1.0" to indicate OAuth 1.0.

Example: 

https://myproxy.example.edu/oauth/getcert?oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=hh5s93j4hdidpola&oauth_signature=74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D&oauth_signature_method=RSA-SHA1&oauth_timestamp=1273168086&oauth_nonce=8728518267508&oauth_version=1.0

Get Certificate: Response

Description: A standard HTTP response. Any return code other than 200 indicates an error. The body of the response contains the MyProxy username followed by the PEM encoded certificate with Content-Type: text/plain.

Source: OAuth server

Target: OAuth client

Example:

HTTP/1.1 200 OK

Content-Type: text/plain

username=example

-----BEGIN CERTIFICATE-----

MIIEIzCCAwugAwIBAgIDEbWMMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNVBAYTAlVT

MTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0aW5nIEFw

cGxpY2F0aW9uczEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxEDAO

BgNVBAMTB015UHJveHkwHhcNMTEwMzIxMTk0OTQ0WhcNMTEwMzIyMDc1NDQ0WjBc

MQswCQYDVQQGEwJVUzE4MDYGA1UEChMvTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBl

cmNvbXB1dGluZyBBcHBsaWNhdGlvbnMxEzARBgNVBAMTCkppbSBCYXNuZXkwggEi

MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMt7GjID/B68q5B7AUeJmnGWX9

0hE3yQu/OSKZpQopy39jjqoMZwBPTtt16eirdaHyYnvjj4ruvUcTd2y/TQrhdtfe

i1JvmyKliX7GiFP+m0q7ypDcBeetPbtneiNL3Hxjn4kZkX8bmILh5VKLdgt1vUhw

tGcVcAw6NccWYNwFIL3ge63804hMPOxggqVCskKbcOL4e5AZ4UPldCundGM3Z3yf

SktY/uDi2aIE/QWYb8AONvOVaott8wJLss4jXkJIxHSweNA6Q7AHeTY91p8V9t9b

cY7saCmWKqqKCP1XhsPhm5OgS2LwOhivuiDOZ+sikZqiBgnFmPV+lwJL5JdTAgMB

AAGjgc4wgcswDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBSBONecg7MUYYDe5IA9

VE0NWCtm3DAfBgNVHSMEGDAWgBTX/KUCdjr2E/oroeDmUDXHI8d7UTAMBgNVHRMB

Af8EAjAAMDQGA1UdIAQtMCswDAYKKwYBBAGkPmQCBTAMBgoqhkiG90wFAgIDMA0G

CyqGSIb3TAUCAwIBMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9jYS5uY3NhLnVp

dWMuZWR1L2YyZTg5ZmUzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAxwH09arINkBc

maUj2O5uEtFAkUt9XC5OmSZ4qoitgeeVbELFuZzAZn3NOKoNHVNV+Eq7FD8inIXN

AilKun8rofpORiEGr1RVgGx7fRnlvozSy4etQUkK/9O+U+whhXcD+oQGte5ryHJN

NwDst6viBM19Fn8cqvt3+b+Cv3+VoKdPdnGlSI1fZ3gIEcDkzqharvJ5jRoqClzY

f7fLhaIFSPnJy5cRX0JfF6xB/wfvbKTOGqDIrRJYrNN4a/Ee+q0IFXz/L/fuZBjW

uWsRtpHV3CmxmTomORFxSQOj94HJDfTxbrEE/ol2irudZRLey/tmwlcZ6OV1Hkrc

O7PXvyR2Og==

-----END CERTIFICATE-----

Revision History