Welcome to OAuth for MyProxy! This is a delegation service for MyProxy. It allows clients to request certificates and users to securely authorize them using the OAuth delegation protocol. Current release is 3.0.


  • Tomcat 9 or above. This will not work with Tomcat 8 or lower because of internal changes to Java.
  • SSL should be configured and enabled. Either in Apache (if you are deploying Tomcat as pass through) or in Tomcat directly. Note that if you do enable SSL in tomcat, you must un-comment the security constraint block in the web.xml deployment descriptor after you deploy the war.
  • Java 1.11. Higher versions of Java (like Java 17) won't work.
  • Some form of persistent storage. This may be a file system, MySQL or PostgreSQL.
  • Java mail. This must be configured regardless if notifications are set. Read here for details.
  • Maven 3.0 or above (if building from the source)
  • Possibly either the latest MySQL connector. Maria DB client or PostgreSQL jar. If you are using one of these systems for storage, install them by dropping them in $CATALINA_HOME/lib. OA4MP used to bundle these in the wars, but since their licences conflicted with those of some of our users, we decided to simply let you supply them. If you are just using file-based storage, then you don't need either of these.
  • Possibly JGlobus. If your server needs to issue limited proxies drop the most recent version of JGlobus jsse (at least 2.0.6) into $CATALINA_HOME/lib as well as, apparently JGlobus-Core (latest release seems to be 2.0.4) and the Bouncy Castle version that support these. Otherwise, you may omit this. Again, be sure you check for the version of Bouncy Castle that your version of JGlobus uses and use that as well. JGlobus-Core 2.0.4 includes Bouncy Castle classes.
  • (Optional) Apache 2, configured to work with Tomcat.

Getting and deploying from the war.

You may most easily a bare-bones version for testing by downloading the current reference war:


(PGP signature)

Download this, read to configure the deployment, and deploy it to Tomcat. The war, as delivered, cannot be run.You must do some minimal configuration at least before deploying it.

Getting and building the source

If you need/want to customize the basic package, you would download it from Git Hub at the current release (4.3). This has the correct dependencies in it. Build it by issuing
mvn clean install
and you should end up with a deployable war.

Writing your own webapp.

If you decide to write your own webapp, you should use the following module:


which will get the OAuth libraries and give you access to the configuration loader.

Deploying to Apache

If you need to deploy this to Apache, you need to add the following to the proxy_ajp.conf file (which, e.g., lives under /etc/httpd/conf.d in most unix distributions):

ProxyPass /oauth/initiate ajp://localhost:8009/oauth/initiate
ProxyPass /oauth/authorize ajp://localhost:8009/oauth/authorize
ProxyPass /oauth/token ajp://localhost:8009/oauth/token
ProxyPass /oauth/getcert ajp://localhost:8009/oauth/getcert
ProxyPass /oauth/register ajp://localhost:8009/oauth/register

These entries allow access to all parts of the process. Note: in the WEB-INF/web.xml file there is a section called security-constraint, which controls access to the webapp using Tomcat's SSL. This will conflict with access via Apache, so comment that section out if you are deploying to Apache. It is only needed in stand-alone Tomcat deployments.

Setting up persistent storage

File-based storage

You may store all information for the service in your local file system. It is important that you restrict access to it and back it up. Specifying the storage location in your configuration file is sufficient, since the system will detect if it exists and create anything it needs.


In order to use MySQL for persistent storage, you must run the supplied script, mysql.sql to create all of the tables and users before your first use.

mysql -u username -p < /path/to/file/mysql.sql

(the username is an account (root, e.g.) which has sufficient privileges to create other users) which will prompt you for your password and run the file. If you do not accept the default account names, you must edit this file and replace all occurrences of them manually, as well as setting the passwords. This has to be done because of MySQL's very lousy support for variables. (Should you have to re-run the script, you should manually remove the users and database beforehand. These commands are commented out at the beginning of the file.)


Most Unix distros have this database installed by default. There is a specific script, pg.sql, that will create all the tables. All you should need to do is set the passwords near the top of the file. Then you would need to log in to the command line psql tool as the user postgres (this is the super user) and from that prompt issue

\i /path/to/file/pg.sql

The file contains default user, table, database and schema names, which you may change if you see fit (be sure to pass these along in your configuration file!). Again, you only need to edit the values at the top of the file, thanks to PostgreSQL's support for variables.