Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238

158 views

Published on

An overview of user authentication and authorization in the Galaxy project, and they can use it to authorize Galaxy to access their private resources on cloud, and how Galaxy implements the flow leveraging OpenID Connect protocol and Role-Based Access Control model to obtain temporary credentials.

Published in: Engineering
  • Be the first to comment

User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238

  1. 1. User X Galaxy Cloud Get data from my S3 bucket to my history Give me User X’s bucket Give me your secrets! Any middleware Any science gateway Hey, can you share your secrets with me?
  2. 2. Do NOT ask for user’s credentials, because: • Obtaining credentials demands a degree of familiarity with the provider, which is usually not intuitive for general users; • Liability concern for Galaxy to securely store the credentials; • Provide Galaxy with same level of privileges as the user; • Stolen credentials can be disabled by manual intervention of the user.
  3. 3. Instead: • User server-to-server communication, and minimize user interaction/intervention; • User token-based authentication and authorization; • Use temporary tokens; • Use role-based access control.
  4. 4. User X Galaxy Cloud User X has authorized me to access her private bucket Who are you? Who is User X? What is your authorization? User X authorized me
  5. 5. Who Are You? Who is User X? What is Your Authorization?
  6. 6. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Register Galaxy as an OIDC Client Client ID: 8936 … 8o88f.apps.googleusercontent.com
  7. 7. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity https://accounts.google.com/o/oauth2/auth? nonce=U9zZAIsacYEB7lJ3FZxO9G3nfzPaIxrl94Vnr5f2WfLMc8KQoG3C2B8LP2IGlwAW& state=zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB& redirect_uri=http://localhost:8080/authnz/google/callback& prompt=consent& response_type=code& client_id=8936 … 8o88f.apps.googleusercontent.com& scope=openid+email+profile+https://www.googleapis.com/auth/user.birthday.read& access_type=offline
  8. 8. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity User’s Authentication (who they are)
  9. 9. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity User’s Authorization (what they allow you to do)
  10. 10. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity Here is your proof { "code": "4/NwEDKgZ2GZFbzd … I7xeXhvWEBESoc", "prompt": "consent", "state": "zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB", "session_state": "ccd20afbeec42f7711fb787ebebde0b38ff85255..85bb", "scope": "email profile openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/user.birthday.read", "authuser": "0" }
  11. 11. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof { "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" } ID token: - is a JWT - Contains claims about the authentication of end-user Access token: - is not a JWT - Can be used to request info
  12. 12. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Part of a decoded ID token: Payload { "iss": "accounts.google.com", "azp": "…", "aud": "8936 ... 8o88f.apps.googleusercontent.com", "sub": "100813134013939805912", "email": "jalili.vahid@gmail.com", "email_verified": true, "at_hash": "oRKH9-7HUwPJx-OxBSR-TA", "nonce": "…", "iat": 1556220253, "exp": 1556223853 } { "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" }
  13. 13. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Part of a decoded ID token: Payload { "iss": "accounts.google.com", "azp": "…", "aud": "8936 ... 8o88f.apps.googleusercontent.com", "sub": "100813134013939805912", "email": "jalili.vahid@gmail.com", "email_verified": true, "at_hash": "oRKH9-7HUwPJx-OxBSR-TA", "nonce": "…", "iat": 1556220253, "exp": 1556223853 } Authorization Code Grant flow in nutshell{ "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" }
  14. 14. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::my-bucket/hgmm_100_R2.fastq" ], "Condition": { "IpAddress": { "aws:SourceIp": "1.2.3.4" } } } ] } AWS IAM Role Policy Role ARN
  15. 15. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AWS IAM Role Trust { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "accounts.google.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "accounts.google.com:aud": "8936 ... 8o88f.apps.googleusercontent.com" } } }] } Role ARN
  16. 16. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data https://sts.amazonaws.com/?" "DurationSeconds=3600&" "Action=AssumeRoleWithWebIdentity&" "Version=2011-06-15&" "RoleSessionName=cloudauthz&" "RoleArn= Role ARN &" "WebIdentityToken= ID Token " Here is my ID and authorization, give me temporary secrets to access user X’s private data
  17. 17. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets Here is my ID and authorization, give me temporary secrets to access user X’s private data Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AccessKeyId: ASIA4 … AA2ZE SecretAccessKey: owi+huRYTTWlL … zujnvKZvS SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU= Temporary secrets
  18. 18. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets Here is my ID and authorization, give me temporary secrets to access user X’s private data Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AccessKeyId: ASIA4 … AA2ZE SecretAccessKey: owi+huRYTTWlL … zujnvKZvS SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU= Temporary secrets Role-Based Access Control flow in nutshell
  19. 19. Thanks Publication: - https://www.biorxiv.org/content/10.1101/506238v1 Demo: - https://galaxyproject.org/authnz/cloud/demo/ Details: - https://galaxyproject.org/authnz/cloud/ - https://galaxyproject.org/authnz/config/oidc/ - https://galaxyproject.org/authnz/use/oidc/

×