Versions Compared

Old Version 2

changes.mady.by.user Jeroen Wijenbergh

Saved on

compared with

New Version 3

changes.mady.by.user Jeroen Wijenbergh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Where instances is a list of the form:

    "cat_idp": cat IdP entityIDidentifier (integer, required); e.g. 7088,
    "country": country code (string, required); e.g. "RO",
    "geo": [
        "lat": latitude (float, required),
        "lon": longitude (float, required),
    ] (required),
    id: cat_id (string, required); e.g. "cat_7088",
    name: the name of the organisation to be shown in the UI (string, required); e.g. SURF,
    profiles: [
        "authorization_endpoint": The authorization endpoint in case OAuth is used (string, optional, default=""); e.g. "https://example.com/oauth/authorize/",
        "default": If this profile is the default profile (bool, optional, default=False); e.g. True,
        "eapconfig_endpoint": The endpoint to obtain the EAP config (string, required); e.g. "https://example.com/api/eap-config/",
        "id": The identifier of the profile (string, required); e.g. "letswifi_cat_1337",
        "name": The name of the profile to be shown in the UI (string, required); e.g. "Demo Server".g. "Demo Server",
        "redirect": The redirect URI to show ot the user (string, optional, default=""); e.g. "https://example.com/instructions-eduroam",
        "oauth": Whether or not OAuth is enabled. If missing, OAuth is not enabled (bool, optional, default=False); e.g. true,
        "token_endpoint": The endpoint to get OAuth tokens from (string, optional, default=""); e.g. "https://example.com/oauth/token/", 
    ] (required),

This instances list should be parsed by the client. The name of the instance is what is shown in the UI. Filtering on the instance is also done with this name. For example if an user searches for "sur", it would include "SURF" due to substring case-insensitive matching.

...

  • grant_type (MUST be set to authorization_code)
  • code (MUST be the code received from the authorization endpoint)
  • redirect_uri (MUST repeat the value used in the previous request, as mandated by RFC7636)
  • client_id (MUST repeat the value used in the previous request, as mandated by RFC7636)
  • code_verifier (MUST be a code verifier, as documented in the PKCE RFC7636 section 4. This is the preimage of the code challenge to prove that you are the original sender of the authorization endpoint request. )

You get back a JSON dictionary, containing the following keys:

...

Inner authentication type (<InnerAuthenticationMethod><EAPMethod><Type>...</Type></EAPMethod></InnerAuthenticationMethod>)

  • 0: None
  • 1: PAP
  • 2: 1MSCHAP
  • MSCHAP3: 2MSCHAPv2
    MSCHAPv2
  • 25: 3 EAP_PEAP_MSCHAPv2
  • 26: 25 EAP_MSCHAPV2: 26


Based on these authentication methods, there are various "flows" we can have to continue connecting. We will discuss these in the next sections

...