After installing an OA4MP server, or as part of testing one in service, you may want to have a way to monitor the interaction from the command line. There are two ways to do this, either using the custom command line client or using curl. This document is how to test using curl. This is not quite straightforward and does require some work, but in many cases is well worth the effort. This document describes how to do a complete exchange with a properly configured OA4MP server
You should make sure you have a few things at the ready.
Each of the steps is outlined below along with an example curl call. In each call you will need to supply your own client_id, client_secret and redirect_uri. Other values such as the nonce and state may be left as is.
In this case, you will create a custom url that you will paste into your browser. Line breaks are for readability.
https://surge.ncsa.illinois.edu/oauth2/authorize?
client_id=myproxy%3Aoa4mp%2C2012%3A%2Fclient_id%2F2a3aab4b67ab2354563&
redirect_uri=https%3A%2F%2Fashigaru.ncsa.uiuc.edu%3A9443%2Fclient%2Fready&
state=qqqqq&
response_type=code&
scope=openid+edu.uiuc.ncsa.myproxy.getcert&
nonce=n-0S6_WzA2Mj
At this point you should see the authorization page pop up in your browser. Log in. The normal control flow is to call back to the redirect URL you provided in the previous step. Since no client should be running there, you will get an error.
The location bar will have an address like this in it
https://ashigaru.ncsa.uiuc.edu:9443/client/ready?
code=https%3A%2F%2Fsurge.ncsa.illinois.edu%2Foauth2%2FauthzGrant%2F6d08e01649cb7d766b0c6288333377b1%2F1453837119100&
state=qqqqq
Note that the state passed in initially is returned. You can ignore this. The important thing is the code. This must be swapped out for a access token.
This requires a little more work since you have to do a POST (as per the spec) using cURL. In this example, I am using the -k flag to avoid checking the SSL cert for the server. This may or may not be required for your setup and the -d parameter that gloms together the request, allowing it to be entered on multiple lines:
curl -k --location -d code=https%3A%2F%2Fsurge.ncsa.illinois.edu%2Foauth2%2FauthzGrant%2F6d08e01649cb7d766b0c6288333377b1%2F1453837119100 \
-d client_id=myproxy%3Aoa4mp%2C2012%3A%2Fclient_id%2F2a3aab4b67ab2354563 \
-d client_secret=KYuXckx3yilsiwl6Z3934587KSUIF983489_3498drfgn3 \
-d redirect_uri=https%3A%2F%2Fashigaru.ncsa.uiuc.edu%3A9443%2Fclient%2Fready \
-d grant_type=authorization_code \
https://surge.ncsa.illinois.edu/oauth2/token
Note that the actual endpoint goes at the end of this request. You should get a response like this:
{"access_token":"https://surge.ncsa.illinois.edu/oauth2/accessToken/20c290985f42bf8efb0677b8db67971e/1453837731113",
"refresh_token":"https://surge.ncsa.illinois.edu/oauth2/refreshToken/49e7fd57565264e2710ddec6d266f84a/1453837731113",
"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJodHRwcz.",
"token_type":"Bearer",
"expires_in":900}
Again, you just need the access_token.
It is assumed you generated a cert request before you started. In that case, you need to URLencode the cert request you created and send it along in the request (which is just a GET).
curl -k --location
"https://surge.ncsa.illinois.edu/oauth2/getcert?
access_token=https%3A%2F%2Fsurge.ncsa.illinois.edu%2Foauth2%2FaccessToken%2F20c290985f42bf8efb0677b8db67971e%2F1453837731113&
client_id=myproxy%3Aoa4mp%2C2012%3A%2Fclient_id%2F2a3aab4b67ab2354563&
client_secret=KYuXckx3yilsiwl6Z3934587KSUIF983489_3498drfgn3&
certreq=MIICfzCCAWcCAQAwOjEMMAoGA1UEBhMDVVNBMQswCQYDVQQKEwJPVTELMAkGA12B7lBCgs6hf73A%3D%3D"
The response is just the certificate.
-----BEGIN CERTIFICATE-----
MIIEOzCCAyOgAwIBAgIDXB6BMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYDVQQGEwJVUzE4MDYGA1UE
ChMvTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBlcmNvbXB1dEb...
...