[Specs-cx] CX Contract to enlist OAuth clients
nara hideki
hdknr at ic-tact.co.jp
Thu May 27 09:03:15 UTC 2010
Hi, experts.
I think that a CX Contract can enlist binding parties to OAuth 2.0
services consumers.
Any comment is welcome.
1. Declare an endpoint as an OAuth service.
If the /Contract/Party/obligations/endpoint is OAuth 2.0 server, the
CX Proposal may have the following attribute.
/Contract/Party/obligations/endpoint/@oauth
The OAuth 2.0 token endpoint for getting the access token to
/Contract/Party/obligations/endpoint.
2. A CX Party starts OAuth.
A CX data requesting party MUST ask the authorization server in the
course of the "Client Credentials" flow of OAuth 2.0.
OAuth requesting parameters are followings :
type
"client_credentials" (same as OAuth 2.0 )
client_id
party's identifier specified in the CX Contract.
client_secret
_challenge_generated_by_the_cx_data_requesting_party_
scope
cxid = _cx_identifier_ , cxdig = _rsa_sha256_by_private_key_(
"client_secret" )_
authorization server should authenticate and issue token in
following process:
1. request is based on a CX Contract if "cxid" is specified in "scope".
2. fetch CX Contract specified in "cxid" of "scope". "cxid"
is the URI of the CX Signatory.
(only for the first time)
3. verify "cxdig" in "scope" for "client_secret" with the
public key of "client_id" X.509 certificate in the CX Contract.
4. return an OAuth access token if "cxdig" is properly verified.
secret_type
http://openid.net/cx/#sig_rsa_sha256_ ( or something ... )
format
same as OAuth 2.0
If an access token is successfully returned, the CX party now is able
to request data from /Contract/Party/obligations/endpoint.
-----
hdknr
More information about the Specs-cx
mailing list