OAuth2lib's Use Case


In RedIRIS, we've deployed the OAuth2lib as sirope, the SIR OAuth2 Environment.

So far, Sirope provide the SIR users a way to know all the services that they are able to access, depending on the organization or entity that they belong to.

Use Case description

The architecture of this example is simmilar to the basic architecture of OAuth2, where there are the next elements:

  • OAuth Client: It's located in https://www.rediris.es/sir/sirope/client/. It manages the request of the assertion with the RedIRIS Identity Service, the request of the token to the Authorization Server and the request of the resource to the resource Server.
  • OAuth Authorization Server: It's located in https://www.rediris.es/sir/sirope/as/. It manages the token request of the Client Application, checking if the assertion provided by the RedIRIS Identity Service is a valid one.
  • OAuth resource Server: It's located in https://www.rediris.es/sir/sirope/server/. It manages the resource request of the Client Application, checking if the token provided by the Client is a valid one.

The steps taken in order to obtain the protected resource are:

  1. The user goes to the Client Application.
  2. In the Client, the user authenticates in the RedIRIS Identity Service.
  3. The Client sends the assertion obtained to the Authorization Server. There, a token for this user, Client, the scope (the SP's available) and lifetime (by default 3600 seconds) is generated.
  4. The Authorization Server sends the generated token to the Client Application.
  5. The Client acts on behalf of the user and requests the resource to the Server.
  6. The Server returns the resource if the token sent is a valid token.
  7. The client formats the resource (that is an XML) and shows it to the user.

Request OAuth tokens to the SIR OAuth2 Authorization Server

In order to request an OAuth token with the OAuth2lib Client, you just have to configurate the Client with the following Authorization Server URL: https://www.rediris.es/sir/sirope/as/tokenEndpoint.php.

If you want to make a request to the Authorization Server, but you doesn't want to use our code, you just have to make a HTTP POST request with the following elements:

  • grant_type: The access grant type included in the request. The value must be "assertion".
  • scope: The scope of the access request.
  • assertion_type: The format of the assertion. The types supported by this library are PAPI assertion and SAML2 assertion.
  • assertion: The assertion.
  • client_id: The client identifier.

The Auth Server returns an error with JSON structure with the elements "error" and "error_descripton".

Before starting to work with the SIR OAuth2 Servers it is necessary:

  • To register the OAuth2 Client application, sending us an email to the oauth2lib mailing list
  • To send an Assertion in the request that contains an user identificator that could be any of this attributes:
    • For PAPI assertions, the identifier could be an 'uid', an 'sPUC' (schacPersonalUniqueCode) or the combination of the 'ePTI' (eduPersonTargetedID) and the 'sHO' (schacHomeOrganization)
    • For SAML2 assertions, the identifier must be the 'urn:mace:dir:attribute-def:eduPersonTargetedID'

Request Resources to the SIR OAuth2 Resource Server

Under construction.