API for obtaining client certificates
The server on demo.eduroam.no can be accessed directly by a user, where he is required to authenticate and then allowed to download a client certificated, packed in a profile (eap-metadata, mobileconfig, pkcs12, pem). But not all platforms have support for importing configuration files; some operating systems only have internal APIs for configuring wireless profiles (e.g. Windows and Android). For these platforms, the server allows retrieving profiles through a web API. This is a description of the API.
Discovery
For discovery, use the discovery JSON file hosted at https://discovery.eduroam.app/v1/discovery.json
TODO document the format of the discovery. It is rather straightforward, but explicit documentation is better
Authorization endpoint
Build a URL for the authorization endpoint; take the authorization_endpoint string from the discovery,
and add the following GET parameters:
response_type(set tocode)code_challenge_method(set toS256)scope(choose betweeneap-metadataandmobileconfig)code_challenge(a code challenge, as documented in RFC7636 section 4)redirect_uri(where the user should be redirected after accepting or rejecting your application, GET parameters will added to this URL by the server)client_id(your client ID as known by the server)state(a random string that will be set in a GET parameter to theredirect_uri, for you to verify it’s the same flow)
You have created a URL, for example:
https://demo.eduroam.no/authorize.php?response_type=code&code_challenge_method=S256&scope=eap-metadata&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&redirect_uri=http%3A%2F%2Flocalhost%3A1080%2Fcallback&client_id=00000000-0000-0000-0000-000000000000&state=0
You open a local webbrowser to this URL on the users’ device and listen on the redirect_uri for a request to return.
Upon receiving a request, reclaim focus to your application and handle the request.
You may receive these GET parameters:
code(a code that you can use on the token endpoint)error(an error message that you can present to the user)state(the same value as your earlierstateGET parameter)
As a reply to this request, you may simply return a message to the user stating that he should return to the application. Depending on the platform, you may also return code to trigger a return to the application.
Token endpoint
The token endpoint requires a code, which you obtain via the Authorization endpoint.
Use the token_endpoint string from the discovery.
You need the following POST parameters:
grant_type(set toauthorization_code)code(the code received from the authorization endpoint)redirect_uri(repeat the value used in the previous request, as mandated by RFC7636)client_id(repeat the value used in the previous request, as mandated by RFC7636)code_verifier(a code verifier, as documented in RFC7636 section 4)
You get back a JSON dictionary, containing the following keys:
access_tokentoken_type(set toBearer)expires_in(validity of theaccess_tokenin seconds)
Example HTTP conversation
POST /token.php HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
grant_type=authorization_code&code=v2.local.AAAAAA&redirect_uri=http%3A%2F%2Flocalhost%3A1080%2Fcallback&client_id=00000000-0000-0000-0000-000000000000&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json;charset=UTF-8
Pragma: no-cache
{
"access_token": "v2.local.AAAAA…==",
"token_type": "Bearer",
"expires_in": 3600
}
Generator endpoint
The generator requires an access_token, as bearer. You’ve obtained this from the token endpoint.
For the URL to the generator, use the generator_endpoint string from the discovery.
POST /generate.php? HTTP/1.1
Accept: application/x-eap-config
Authorization: Bearer AAAAAA…==
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
format=eap-metadata
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Disposition: attachment; filename="johndoe.xml"
Content-Type: application/eap-config
Pragma: no-cache
<?xml version="1.0" encoding="utf-8"?>
…