Registering a client with an OAuth 2 server

Before you can delegate certificates using the OA4MP service, you must register your OA4MP client. In the course of this you will receive two things:

The client identifier is a unique string that is used to identify your client to the server. This should be put into your configuration file. Rather than exchange public keys or some other method of ensuring that your client is indeed authentic, a client secret is generated at run time. This is the only time it actually is shown. The server merely stores a hash of this rather than the actual value, consequently you have the only copy. If you lose this, you must register your client again.

Filling out the registration form

The default registration form looks like this:

Registration Form Image

The various fields are as follows:

  • Client Name: A human readable name for the science gateway (OA4MP client) that you are registering. This will be displayed to users and should identify your site.
  • Contact email: An email address where a human being can be reached for support.
  • Home url: The main address for your site. This will be displayed to users as part of the authentication process. It is not required to be secure.
  • Callback URLs A list of callback URLs, one per line must be registered with the server. Client requests must send one of these and if the callback urls sent does not match one of the registered ones, the client request will be rejected. At this point, no wildcards are accepted. As per the specification, all of these must be secure or the request will be rejected.
  • Scopes: The scopes that this client would like. Since this is for OIDC, you should always keep the openid scope checked (though if you do not, it will be added anyway). This list is generated from the server (the screen shot is merely an example) and while you may request any of the scopes, these are subject to approval. Be advised that if the client later requests an unapproved scope, this will result in an error.
  • Refresh token lifetime: (in seconds). This may be present but only if the server actually supports this feature. If it is available and you leave this blank, then no refresh tokens will be issued for your client.
  • Issuer: The specific issuer for this client. Note that this is not trivial to specify and you should probably read the corresponding server documents on issuers if you need to.
  • Limited proxy support. This is mostly needed by servers that are affiliated with Globus. If this is present, you should understand what it does before checking it.

Fill in the appropriate values. Note that the contact email should be for an actual person, not a generic one for an organization since an email will be sent to it once the client has been approved. When you click submit you should get a page like this

Succesful Regsitration Image

The only warning with the secret is to be sure that when you copy and paste it into the configuration file that you do not introduce spaces or line breaks. The secret should be a single line. The server administrator will get a notice that your client has requested approval and once this has been reviewed, an email will be sent to the contact email you gave above.