OA4MP

• FAQ
• Server
• Client
• Supported specification
• Source
• api docs

Project Documentation

• Project Information
• Project Reports

FAQ

1. What is OA4MP?
2. Where did OA4MP come from?
3. What libraries does it use?
4. My client is using library X in language Y. Will it work with OA4MP?
5. Are JWTs (Java Web Tokens) supported?
6. Ther are tons of OAuth and OIDC servers. What does OA4MP offer?
7. What sorts of policies might an OA4MP server implements
8. Does OA4MP support the offline_access scope?

What is OA4MP?

OA4MP stands for "Open Authorization for Many People" (formerly "Open Authorization for MyProxy") and is an implementation of the OAuth 2 specification

[top]

---

Where did OA4MP come from?

The original version was written as part of CILogon, the NCSA's venerable platform for integrated identity and access management in the Sciences. When it started (ca. 2010), there were no tokens, simply X.509 certificates. A very evil but common practice was that researchers would have to give their credentials (username and password) to institutions to run scientific computing jobs on their behalf. This cannot be condemned highly enough from a security perspective. CILogon offered (and still does) an excellent solution. OA4MP is the Open Authorization machinery for CIlogon. As time passed, it became clear that tokens should replace X.509 certificates for various reasons and OA4MP did as well. The major users of certificates have migrated to tokens and OA4MP has, as ever, been on the cutting edge for adding support.

[top]

---

What libraries does it use?

OA4MP predates the OAuth 2 specification and was initially a native OAuth 1.0a implementation. As such, it came into existence independently of any other implementations. It requires no other implementations. Moreover, it is quite mature and has been in production since roughly 2011 and supports most standard major protocols.

[top]

---

My client is using library X in language Y. Will it work with OA4MP?

Very probably yes. At current writing, in one project alone (CILogon) we have over 1900 registered clients of various implementations (Python, Go, PHP, C++, JavaScript, Ruby, ...) If your client complies with standards (even some rather odd ones) it's a good bet it works with OA4MP just fine.

[top]

---

Are JWTs (Java Web Tokens) supported?

Yes. Which means JWTs and their best practices. Not what you meant? A very common misconception is that JWTs (which is a format for tokens) are the same thing as access or identity tokens. OA4MP will happily issue tokens in various format with various specifications, such as SciTokens, WLCG tokens and basic.

[top]

---

Ther are tons of OAuth and OIDC servers. What does OA4MP offer?

OA4MP offers a very long and distinguished service life -- it is very well tested and has performed well for over a decade. It also supports a huge number of specifications, so there are rarely issues with any clients. Finally, it provides a very elegant way to extend the service with an external scripting language, QDL

It is deployed as the backbone for CILogon where it has as of this writing (5/24/2023), over 1900 registered clients from various platforms and nearly 248k registered logons.

A typical real world use is a large national scientific lab that has dozens of specialized clients for various research projects, each of which has several users. (See the policy example below). There are token issuance policies for the institution as well as very specific requirement for interoperations. These policies are implemented in QDL which runs on OA4MP.

[top]

---

What sorts of policies might an OA4MP server implements

This is taken from one of our customers. A user may authenticate with any of a certain number of IDPs (Identity Providers). For some of these that are affiliates, user information is searched in an external source (a private LDAP) and the user is verified in that way. This is the institutional policy for access by non-members. This permits institutions to collaborate on projects without, say, having to issue temporary logins for external members.

Now we move on to policies for a client. (So a client in practice might be for a specific research grant and allow access to the resources for that.) Policies about what set of scopes with specific requests for access tokens and identity information are honored. (Again, if users are at different institutions, there may be different policies on what personal information may be disclosed.) These typically require look ups in a database or LDAP. Policies can be applied based on other group memberships of the user. (E.g. a user that requests read access to a MySQL database must be in the mysql-access group). It is possible to have extremely complex, tailored policies that allow rigorous and exacting enforcement for each client. This forces sane and coherent policies across multiple institutions.

[top]

---

Does OA4MP support the offline_access scope?

Jein (= yes and no, as the Germans say). offline_access is used to request a refresh token. OA4MP does indeed support refresh tokens, however, this is set as a policy for the client, so that takes precedence. If you supply the offline_access scope it is effectively ignored in favor of the configuration. You cannot, say, force a client to issue refresh tokens when its policy prevents that. In practice, if your client uses offline_access, just let it do what it normally does and OA4MP will do the right thing. If you think you should be getting a refresh token and aren't, that implies your client needs to update its configuration.

[top]