Ignore:
Timestamp:
31/08/12 16:57:23 (8 years ago)
Author:
pjkersha
Message:

Improved explanation for bearer token example and added code to the e.g. app to allow retrieval of resource.

Location:
trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/bearer_tok
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/bearer_tok/README

    r8123 r8143  
    11Example OAuth 2.0 bearer token authorisation and resource server app 
     2==================================================================== 
     3This example uses simple string based bearer tokens.  It protects a short-lived 
     4credential service (SLCS) which issues X.509 certificates to delegated clients. 
     5The service requires the Grid software package MyProxyCA from the Globus  
     6toolkit.  This service fronts MyProxyCA and uses it for certificate issuing. 
     7The example can be run without it to show the step to obtain an access token. 
     8However, it is needed for showing access to a resource (aka requesting a  
     9certificate). 
     10 
     11Two components are provided then: 
     12 * a generic OAuth Authorisation Server which authenticates users by  
     13   username/password on a web form 
     14 * a resource server.  This is a specialised one which enables delegated  
     15   clients to obtain short-lived X.509 certificate credentials.  It does this 
     16   by using MyProxyCA as a backend certificate issuing service.  A MyProxyCA 
     17   instance is required to demonstrate this but not to demonstrate the  
     18   authorisation service. 
     19    
     20To Run 
     21====== 
    222 
    323$ python bearer_tok_server_app_serve.py 
    424 
    525Run equivalent client app under ndg.oauth.client.examples.bearer_tok in order to 
    6 test.  Open a browser at http://localhost:5002/token to test.  Clear out cookies 
    7 to reset between test runs. 
     26test.  Open a browser: 
     27 * http://localhost:5002/token to show the step for getting an access token.   
     28 * http://localhost:5002/resource to show requesting a resource (a certificate). 
     29  
     30The log in  
     31credentials for the authorisation server are username: rwilkinson_local,  
     32password: changeme.  Clear out cookies to reset between test runs. 
     33 
  • trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/bearer_tok/bearer_tok_server_app.ini

    r8119 r8143  
    11# 
    2 # NDG OAuth Server - Pylons development environment configuration 
     2# NDG OAuth Server - consisting of  
     3# * a generic OAuth Authorisation Server which authenticates users by  
     4#   username/password on a web form 
     5# * a resource server.  This is a specialised one which enables delegated  
     6#   clients to obtain short-lived X.509 certificate credentials.  It does this 
     7#   by using MyProxyCA as a backend certificate issuing service.  A MyProxyCA 
     8#   instance is required to demonstrate this but not to demonstrate the  
     9#   authorisation service. 
    310# 
    411# The %(here)s variable will be replaced with the parent directory of this file 
     
    2431           repoze_who 
    2532           AuthnForm 
     33           MyProxyClient 
    2634           OAuth2Authz 
    2735           OAuth2ServerFilterApp 
     
    8694oauth2authorization.layout.helpIcon = /layout/icons/help.png 
    8795 
     96# Add a MyProxy Client into WSGI environ so that OAuth resource server can 
     97# request certificates 
     98[filter:MyProxyClient] 
     99paste.filter_app_factory = myproxy.server.wsgi.middleware:MyProxyClientMiddleware.filter_app_factory 
     100# Default environ key for MyProxy client 
     101# myproxy.client.clientEnvKeyName=myproxy.server.wsgi.middleware.MyProxyClientMiddleware.myProxyClient 
     102 
     103# MyProxy server which this MyProxy WSGI app is a client to.  Set here to the 
     104# fully qualified domain name or else set the MYPROXY_SERVER environment 
     105# variable.  See the documentation for the MyProxyClient egg for details 
     106myproxy.client.hostname = pampero.badc.rl.ac.uk 
     107#myproxy.client.port = 7512 
     108 
     109# CA Certificate directory to enable this application to trust the MyProxy 
     110# server that it fronts e.g. set to /etc/grid-security/certificates.  For these 
     111# tests set to local ca directory 
     112MyProxy.client.caCertDir = %(here)s/pki/ca 
     113 
    88114[app:OAuth2Server] 
    89115paste.app_factory = ndg.oauth.server.wsgi.oauth2_server:Oauth2ServerMiddleware.app_factory 
     
    107133#oauth2server.user_identifier_key=REMOTE_USER 
    108134 
     135# This is specific to the special configuration of a resource server protecting 
     136# a MyProxyCA short-lived credential service (SLCS).  The resource server will  
     137# accept a bearer token and SLCS specific input: a certificate signing request   
     138# (CSR).  Provided that the token is accepted, the CSR is passed on to the  
     139# underlying MyProxy server along with the special password below.  On success, 
     140# the MyProxyCA server returns a signed certificate.  A MyProxyCA instance 
     141# is required to support this resource request.  The OAuth app can be extended 
     142# as needed to support access to other more generic resource types.  This is  
     143# just an example 
     144oauth2server.myproxy_global_password=testpassword 
     145 
    109146# Configuration of access token cache 
    110147oauth2server.cache.accesstokenregister.expire=86400 
Note: See TracChangeset for help on using the changeset viewer.