scitokens-java demo server

[jbasney]

The scitokens-java demo server running at NCSA needs some updates before we can point early adopters to it. Here's my wish list:

• publish at https://demo-provider.scitokens.org/.well-known/openid-configuration with issuer "https://demo-provider.scitokens.org/" and endpoints at "https://demo-provider.scitokens.org/authorize" etc. (i.e., create a demo-provider.scitokens.org DNS alias, get a demo-provider.scitokens.org certificate, so no ncsa.illinois.edu DNS names are exposed)
• no mention of "MyProxy" anywhere
• no mention of certificates anywhere, just JSON tokens
• uses CILogon for authentication (probably via mod_auth_openidc) rather than username/password

[jbasney]

I think the current plan is to publish the demo server at https://oauth.scitokens.org/scitokens-server/.well-known/openid-configuration with issuer "https://oauth.scitokens.org/scitokens-server" rather than demo-provider.scitokens.org mentioned previously.

Also, I think the consent screen needs to show the scopes being authorized, rather than saying "The client listed below is requesting access to your account."

[jbasney]

Progress:

• https://surge.ncsa.illinois.edu/scitokens-server/ updated to use CILogon for authentication, passing along the sub claim from the CILogon id_token to the sub claim in the SciToken authorization token

Next steps:

• Install HTTPS certificate for oauth.scitokens.org.
• Pull in other claims from CILogon id_token (e.g., OIDC_CLAIM_eppn set by mod_auth_openidc) to be used in SciToken authorization policy, so for example we can authorize eppn=[email protected] to get scp claims.
• Consent screen should detail the claims being issued (rather than "requesting access to your account").
• References to MyProxy or certificates should be updated to SciTokens and tokens.