Introduction

OAuth is an authorization protocol, that can become very useful in conjunction with Confusa to authorize command-line clients or grid-start applications to use the authentication of the user with the portal to perform certificate operations.

In order for OAuth to be useful, it must use the same service provider as normal WebSSO-authentication does. Otherwise we will be busy only exchanging metadata and doing nothing else. But luckily this is possible with the latest and greatest of simplesamlphp.

Prerequisites

To hook into the default-sp or the authentication source that Confusa is using currently a recent SVN checkout is needed. In version 1.5.1 the authentication source is hardcoded to saml2, while it is configurable in the current SVN head and probably version 1.6.

Necessary steps

Server (SP) side

1. cd $simplesamlpath/modules/oauth, touch enable
2. Make sure that you have php5-sqlite installed. For distribution without packages compile it from source, see note at
   http://se2.php.net/manual/en/sqlite.installation.php
3. cp $simplesamlpath/modules/oauth/config-templates/module_oauth.php $simplesamlpath/config/
4. Register a consumer for every application that should tie into oauth using the administrative interface under $simplesamlurl/module.php/oauth/registry.edit.php

Client side

1. when writing a command-line client based on e.g. curl, make sure that the server's signing certificate is in the trusted certificates path
2. Andreas' demo code (modules/oauth/bin/demo.php) currently needs port-number 443 specified even when the protocol is HTTPS, if no port is specified it always falls back to port 80
3. Use the consumer-key and -secret that were generated in step 5 of the server-side process