API for obtaining client certificates #
The server on demo.eduroam.no can be accessed directly by a user, where he is required to authenticate and then allowed to download a client certificated, packed in a profile (eap-metadata, mobileconfig, pkcs12, pem). But not all platforms have support for importing configuration files; some operating systems only have internal APIs for configuring wireless profiles (e.g. Windows and Android). For these platforms, the server allows retrieving profiles through a web API. This is a description of the API.
Discovery #
For discovery, use the discovery JSON file hosted at https://discovery.eduroam.app/v1/discovery.json
TODO document the format of the discovery. It is rather straightforward, but explicit documentation is better
Authorization endpoint #
Build a URL for the authorization endpoint; take the authorization_endpoint
string from the discovery,
and add the following GET parameters:
response_type
(set tocode
)code_challenge_method
(set toS256
)scope
(choose betweeneap-metadata
andmobileconfig
)code_challenge
(a code challenge, as documented in RFC7636 section 4)redirect_uri
(where the user should be redirected after accepting or rejecting your application, GET parameters will added to this URL by the server)client_id
(your client ID as known by the server)state
(a random string that will be set in a GET parameter to theredirect_uri
, for you to verify it’s the same flow)
You have created a URL, for example:
https://demo.eduroam.no/authorize.php?response_type=code&code_challenge_method=S256&scope=eap-metadata&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&redirect_uri=http%3A%2F%2Flocalhost%3A1080%2Fcallback&client_id=00000000-0000-0000-0000-000000000000&state=0
You open a local webbrowser to this URL on the users’ device and listen on the redirect_uri
for a request to return.
Upon receiving a request, reclaim focus to your application and handle the request.
You may receive these GET parameters:
code
(a code that you can use on the token endpoint)error
(an error message that you can present to the user)state
(the same value as your earlierstate
GET parameter)
As a reply to this request, you may simply return a message to the user stating that he should return to the application. Depending on the platform, you may also return code to trigger a return to the application.
Token endpoint #
The token endpoint requires a code
, which you obtain via the Authorization endpoint.
Use the token_endpoint
string from the discovery.
You need the following POST parameters:
grant_type
(set toauthorization_code
)code
(the code received from the authorization endpoint)redirect_uri
(repeat the value used in the previous request, as mandated by RFC7636)client_id
(repeat the value used in the previous request, as mandated by RFC7636)code_verifier
(a code verifier, as documented in RFC7636 section 4)
You get back a JSON dictionary, containing the following keys:
access_token
token_type
(set toBearer
)expires_in
(validity of theaccess_token
in seconds)
Example HTTP conversation
POST /token.php HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
grant_type=authorization_code&code=v2.local.AAAAAA&redirect_uri=http%3A%2F%2Flocalhost%3A1080%2Fcallback&client_id=00000000-0000-0000-0000-000000000000&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json;charset=UTF-8
Pragma: no-cache
{
"access_token": "v2.local.AAAAA…==",
"token_type": "Bearer",
"expires_in": 3600
}
Generator endpoint #
The generator requires an access_token, as bearer. You’ve obtained this from the token endpoint.
For the URL to the generator, use the generator_endpoint
string from the discovery.
POST /generate.php? HTTP/1.1
Accept: application/x-eap-config
Authorization: Bearer AAAAAA…==
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
format=eap-metadata
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Disposition: attachment; filename="johndoe.xml"
Content-Type: application/eap-config
Pragma: no-cache
<?xml version="1.0" encoding="utf-8"?>
…