These are values that the client needs to supply to identify itself. These are
Required? | Default | Description | |
privateKeyFile | Y | N/A | Used by OAuth 1.0a based clients and servers. The full path to the client's pk8 encoded private key. |
publicKeyFile | Y | N/A | Used by OAuth 1.0a based clients and servers. The full path to the client's pem encoded public key. This was uploaded to the server at registration time. |
secret | Y | N/A | OAuth 2 specific. The secret that is given to the client at registration. This should be cut and pasted with no blanks or other characters into the configuration file. Note that the server does not store this! It will only store a hash of it so if you lose it, you must re-register. |
serviceUri | Y | N/A | The address of the service this client uses. |
callbackUri | Y | N/A | The redirect address to which the user is sent after authorization. Note that this can be reset at runtime before the call is made, should you want to customize it per user. |
initiateUri | Y | ServiceUri + /initiate | (OAuth 1.0a only.) The address which the client should use for the first leg of the interaction. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
authorizeUri | Y | ServiceUri + /authorize | (OAuth 1.0a and OAuth 2.) The address which the client should use for authorization. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
accessTokenUri | Y | ServiceUri + /token | (OAuth 1.0a and OAuth 2.) The address which the client should use for getting the access token. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
assetUri | Y | ServiceUri + /getcert | (OAuth 1.0a and OAuth 2.) The address from which the client will get the certificate. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
userInfoUri | Y | ServiceUri + /userinfo | (OAuth 2 only.) The address from which the client will get user information. Normally this is constructed from the serviceUri and should only be set explicitly by the server administrator if needed. |
id | Y | N/A | The unique identifier generated by the server during the registration process. |
lifetime | N | 43200 | The requested lifetime in seconds this certificate should last. The service will always apply its own policies to any request. The default is 12 hours. |
enableAssetCleanup | N | false | Whether the service will automatically remove old assets in the store. |
showRedirectPage | N | false | Whether to pause the exchange to show a page containing the redirect URL and the private key. Set this to true to enable. Generally this is rather useful in debugging but should not be enabled in production systems. Note that this only applies to OAuth 1.0a since the protocol under OAuth 2.0 is different. |
maxAssetLifetime | N | 2592000 (one calendar month in seconds) | The maximum age, in seconds, that an asset may be in the store. This only applies if the cleanup facility is enabled and the OAuth version is 1.0a. In the OAuth 2.0 version this is ignored, since cleanup of old assets is determined by the lifetime of the refresh token. |
keypairLifetime | N | 0 | The maximum age, in seconds, for the client-side generated keypair to be cached. Keypair caching reduces key generation load on heavily used clients by re-using a keypair across OAuth sessions. This functionality should only be used if the keypair remains secured in the OAuth client and is not externally exposed. It affects the keypair used to generate certificate requests and is not the same as the OAuth keypair created at registration. Setting the value to zero forces the client to generate a new keypair with each request. This keypair is stored in the asset for the request. |
skin | N | N/A | The skin that the site will display for this client. This lets OA4MP servers mimic the look and feel of the client site. You should contact the server administration to set this up with you if you are interested. |
If any of the required parameters are omitted, then an exception will be raised. The certificate lifetime may be omitted. If present, it will be processed in accordance with the service's cert lifetime policies and there is no requirement that the requested lifetime be honored.
<config> <client> <callbackUri>http://client.example.org/client/ready</callbackUri> <privateKeyFile>/var/www/config/security/oauth-privkey.pk8</privateKeyFile> <publicKeyFile>/var/www/config/security/oauth-pubkey.pem</publicKeyFile> <serviceUri>https://server.example.org/oauth</serviceUri> <lifetime>864000</lifetime> <keypairLifetime>0</keypairLifetime> <id>myproxy:delegation,2011:/client/7f1105e2728871223445cafe</id> <fileStore path="/path/to/asset/store/"> <assetStore/> </fileStore> <enableAssetCleanup>true</enableAssetCleanup> <maxAssetLifetime>865000</maxAssetLifetime> </client> </config>
The certificate lifetime is specified to 864000 seconds (10 days). The file system will be used for assets and the system will automatically cleanup old entries that are more than 865000 seconds (a wee bit more than 10 days) old. The keypairLifetime set to zero means each certification request will have a new keypair generated for it. Please note that the fileStore does require some specific configuration based on your installation.
<config> <client> <callbackUri>http://client.example.org/client2/ready</callbackUri> <secret>bwM9YgIMM4oMeOTZdJLyp8shgfuzrwWHxS401pEx8w2_BOk5ip46zJL_bsTj2bU5iuS7QsiGmze44pA2k3MhYuPGOkSSMpUEkpXI9KZqY_OVGOI8B3JYj8q0ZWP80hkmshwzYQiHOz5IJW7KZpMOQSKVG5lbmP0_iSwPim74WwH9akuc_3pocIntA5OfVtRKl0LCAz1WkXUSbF5sH6-xx8SWPJvaU0rc95jmxXqUxib3iXwYgheo1yyrvK4RHsStppZD9RmcwgyhLxvgUDap-23tm</secret> <serviceUri>https://server.example.org/oauth2</serviceUri> <id>myproxy:delegation,2011:/client/c43d987fedbf7c3258973fdedc8</id> <fileStore path="/path/to/asset/store/"> <assetStore/> </fileStore> <enableAssetCleanup>true</enableAssetCleanup> </client> </config>
The secret that is sent to the server is put in without linebreaks. The keypair lifetime is omitted which means that the client will take the default (currently a new keypair will be generated once every 24 hours.) There is no maxAssetLifetime parameter here since that is not needed in OAuth 2.0-based clients. However, asset cleanup is still enabled.