2. Globus = SaaS + PaaS
• Globus SaaS continues to improve its
capabilities for researchers and research
computing centers
• Globus PaaS opens new opportunities for
developers creating applications and
services for researchers
2
3. Motivating Globus PaaS
• How do you leverage Globus services
in your own applications?
• How do you extend Globus with your
own services?
• How do we empower the research
community to create an integrated
ecosystem of services and
applications?
3
4. Security PaaS challenges
• How to provide:
– Login to apps
o Web, mobile, desktop, command line
– Protect all REST API communications
o App Globus service
o App non-Globus service
o Service service
• While:
– Not introducing even more identities
– Providing least privileges security model
– Being agnostic to programming language and
framework
– Being web friendly
– Making it easy for users and developers
4
5. Globus Auth
• Identity and access management (IAM)
platform-as-a-service
• Simplifies creation and integration of advanced
apps and services
• Brokers authentication and authorization
interactions between:
– End-users
– Identity providers: InCommon, XSEDE, Google, portals
– Services: resource servers with REST APIs
– Apps: web, mobile, desktop, command line clients
– Services acting as clients to other services
docs.globus.org/api/auth
5
6. Based on widely used web standards
• OAuth 2.0 Authorization Framework
– aka OAuth2
• OpenID Connect Core 1.0
– aka OIDC
• Use various OAuth2 and OIDC libraries
– Google OAuth Client Libraries (Java, Python,
etc.), Apache mod_auth_openidc, etc.
– Globus Python SDK
6
7. Log in with Globus
• Similar to:
“Log in with Google”
“Log in with Facebook”
• Using existing identities
• Providing access to
community services
8. Adding your identity provider
• InCommon identity providers that
release Research & Scholarship
attributes to CILogon (free)
• Any other OpenID Connect identity
provider (subscription)
8
9. Portal calling services on user’s behalf
• Examples:
– Portal starting transfer for user
• Authorization Code Grant
– With service scopes
– Can also request OIDC scopes
• Confidential client
• Globus SDK:
– To get tokens: ConfidentialAppAuthClient
– To use tokens: AccessTokenAuthorizer
9
10. Native apps
• Examples
– Command line, desktop apps
– Mobile apps
– Automation scripts
– Jupyter notebooks
– Any client that cannot keep a secret (downloaded)
• Native app is registered with Globus Auth
– Not a confidential client
• Native App Grant is used
– Variation on the Authorization Code Grant that uses PKCE
• Globus SDK:
– To get tokens: NativeAppAuthClient
– To use tokens: AccessTokenAuthorizer
10
11. Apps that need access tokens
for long time
• Examples:
– Portal checks for transfer status when user is
not logged in
– Run command line app from script
• App requests refresh tokens
• Globus SDK:
– To get token: ConfidentialAppClient or
NativeAppClient
– To use tokens: RefreshTokenAuthorizer
11
12. App invoking services as itself
• Examples
– Sample portal invoking graph service and accessing endpoints as itself
– Robots, agents, services
• Every app is/has an identity in Globus Auth
(<client_id>@clients.auth.globus.org)
• App registers with Globus to get client id/secret
– Native app cannot do this (no client_secret)
• Client Credential Grant is used
• Can use the client_id just like any other identity_id
– Sharing access manager role, permissions, group membership, etc.
• Globus SDK:
– To get tokens: ConfidentialAppAuthClient
– To use tokens: AccessTokenAuthorizer
12
13. Globus Auth for securing your
service’s REST API
• Outsource all identity management and authentication
– Federated identity with InCommon, Google, etc.
• Outsource your REST API security
– Consent, token issuance, validation, revocation
– You provide service-specific authorization
• Apps use your service like all others
– Its standard OAuth2 and OIDC
• Your service can seamlessly leverage other services
• Other services can leverage your service
• Implement your service using any language and framework
Add your service to the science cyberinfrastructure platform
13
14. Dependent services
• Your service can act as client to other services
(scopes)
– Globus Transfer and Auth
– XSEDE (e.g., Jetstream, XUP)
– Other community services
– Future: Commercial services (e.g., Google Drive)
• Entire service call tree consented by user and
service owners
– Rescinding consent revokes all dependent tokens
• Dependent tokens are restricted to a particular
client, calling a particular scope, on behalf of a
particular resource owner (e.g., user)
– Restricted delegation!
14
15. Summary
• Globus Auth makes it easy to:
– add user login to your applications
– integrate with Globus, XSEDE, and other services
– add OAuth2 support to your service’s REST API
– create services to leverage other services
Together we can create an integrated
ecosystem of services and applications
for the research community
15
16. Join the Globus developer community
• Globus Auth API:
docs.globus.org/api/auth
• Python SDK is open source
– github.com/globus/globus-sdk-python
– Submit issues, pull requests
• Join developer-discuss@globus.org
mailing list: globus.org/mailing-lists
• Sample code: github.com/globus
• Documentation: docs.globus.org
16
17. Thank you to our sponsors!
17
U . S . D E P A R T M E N T O F
ENERGY
Editor's Notes
Abstract: Globus Auth is a foundational identity and access management platform service designed to address unique needs of the science and engineering community. It serves to broker authentication and authorization interactions between end-users, identity providers, resource servers (services), and clients (including web, mobile, and desktop applications, and other services). Globus Auth thus makes it easy, for example, for a researcher to authenticate with one credential, connect to a specific remote storage resource with another identity, and share data with colleagues based on their global identity. By eliminating friction associated with the frequent need for multiple accounts, identities, credentials, and groups when using distributed cyberinfrastructure, Globus Auth streamlines the creation, integration, and use of advanced research services. Here we introduce Globus Auth by describing how it can be used by a real research service, the Research Data Archive of the National Center for Atmospheric Research, to enhance both delivered capabilities and user experience.
No need to build commodity functions
Can extend Globus functionality to better fit your workflows
Single sign on preferred
Want to encourage application development to the Globus Service.
Want to encourage others to use Globus Auth for their own services.
But not only for Apps, for other service to service communication.
Globus Auth is a Foundational service for all of these
In some sense it’s an IdP but think of it more as an Identity Broker
Globus Auth is tasked with:
Getting user authenticated
Issuing tokens
Verifying tokens
Consents, so users are consenting to what tokens are being used for
Mission is providing a platform for app/service developers to integrated these capabilities so they can access the growing system of IdPs with just a bit of standard code
OAuth2 – OpenID Connect (Web World)
OpenID Connect – Authentication Layer (RESTful / JSON)
RA: some concepts to follow, and then present use cases for integration with Auth with specific solutions on using our SDK for that.
Strongly recommend you join this list if developing against our API
Talk about the Globus as being part of UChicago + ANL, as well as other context setting about how this work came about and is funded