Globus Auth is a foundational identity and access management platform service designed to address unique needs of the science and engineering community. It serves to broker authentication and authorization interactions between end-users, identity providers, resource servers (services), and clients (includ- ing web, mobile, desktop, and command line applications, and other services). Globus Auth thus makes it easy, for example, for a researcher to authenticate with one credential, connect to a specific remote storage resource with another identity, and share data with colleagues based on another identity. By eliminating friction associated with the frequent need for multiple accounts, identities, credentials, and groups when using distributed cyber- infrastructure, Globus Auth streamlines the creation, integration, and use of advanced research applications and services. Globus Auth builds upon the OAuth 2 and OpenID Connect specifications to enable standards-compliant integration using existing client libraries. It supports identity federation models that enable diverse identities to be linked together, while also providing delegated access tokens via which client services can obtain short term delegated tokens to access other services. We describe the design and implementation of Globus Auth, and report on experiences integrating it with a range of research resources and services, including the JetStream cloud, XSEDE, NCAR’s Research Data Archive, and FaceBase.
Nell’iperspazio con Rocket: il Framework Web di Rust!
Globus Auth: A Research Identity and Access Management Platform
1. Globus Auth: A Research Identity and
Access Management Platform
Rachana Ananthakrishnan, Kyle Chard,
Ian Foster, Mattias Lidman, Brendan McCollam,
Stephen Rosen, Steven Tuecke
The University of Chicago
Argonne National Laboratory
S. Tuecke, R. Ananthakrishnan, K. Chard, M. Lidman, B. McCollam, S. Rosen, I. Foster, “Globus Auth: A Research
Identity and Access Management Platform,” 12th IEEE International Conference on eScience, October 25, 2016.
3. Thank you to our sponsors!
3
U . S . D E P A R T M E N T O F
ENERGY
4.
5. Researcher
initiates transfer
request; or requested
automatically by script,
science gateway
Curator reviews and
approves; data set published
on campus or other system
Researcher
selects files to
share, selects user
or group, and sets
access permissions
Collaborator logs in
to access shared
files; no local
account needed;
download via
Globus
Researcher
assembles data set;
attaches metadata
(Dublin core,
domain-specific)
Peers, collaborators
search and discover
datasets; transfer and
share using Globus
Publication
repository
Personal Computer
• Only Web browser required
• Use any storage system
• Access using any credential 5
1 3
Share
Publish
Discover
5
6
6
7
8
Compute facilityGlobus transfers
files reliably,
securely
2
Transfer
Sequencing center
Globus controls access to
shared files on existing
storage; no need to move
files to cloud storage!
4
www.globus.org
6. Globus has the best numbers
5
major services
13
national labs
200 PB
transferred
10,000
active endpoints
35 billion
files processed
10,000
active users
50,000
registered users
99.9%
uptime
60+
institutional
subscribers
1 PB
largest single
transfer to date
3 months
longest
continuously
managed transfer
130
federated
campus identities
7. Globus as a platform
Can we enable researchers to leverage Globus services
in their own applications?
And, also, extend Globus with other services?
How do we empower the research community to create
an integrated ecosystem of services and applications?
7
8. Dependent Services
(Resource Servers)
A world of many services, identities, and more
8
Service
(Resource Server)
App
(Client)User
Dependent Services
(Resource Servers)
Resource
server
operator
Identity providers
9. Dependent Services
(Resource Servers)
Identity
Provider
A world of many services, identities, and more
9
Service
(Resource Server)
Identity
Provider
App
(Client)
Dependent Services
(Resource Servers)
Resource
server
operator
Common practice today:
• Services issue identities
• Hard to use external identities
• Username-password authentication
• Expensive, insecure, non-interoperable
• Poor or no treatment of delegation
User
10. Dependent Services
(Resource Servers)
Identity
Provider
A world of many services, identities, and more
10
Service
(Resource Server)
Identity
Provider
App
(Client)
Dependent Services
(Resource Servers)
Resource
server
operator
We need new approaches:
• Slash costs of developing
and operating secure services
• Enhance security in complex,
rapidly changing world
• Enable interoperability among services
User
11. The authentication and authorization challenge
We need to:
• Provide login to apps
– Web, mobile, desktop,
command line
• Protect all REST API
communications
– App Globus service
– App non-Globus service
– Service service
11
While:
• Not introducing more identities
• Providing least privileges security
model
• Being agnostic to programming
language and framework
• Being web friendly
• Making it easy for users and
developers
• Following security best practices
12. Abbreviated historical perspectives
• Kerberos
• Grid Security Infrastructure, Intl Grid Trust Federation
– Secure authentication, multiple IDPs, delegation
• SAML, InCommon, etc.
– Identity management federation, integration with campuses
• Web security infrastructure: OAuth2, OIDC, etc.
– OIDC for retrieving user identity and attributes from IDPs
– OAuth2 defines an authorization service
– We integrate, extend to handle delegation, and apply
12
13. Globus Auth
• Foundational identity and access management (IAM) platform
service
• Simplifies creation and integration of advanced apps and
services
• Brokers authentication and authorization interactions
between:
– End users
– Identity providers: InCommon, XSEDE, Google, portals
– Services: resource servers with REST APIs
– Apps: web, mobile, desktop, command line clients
– Services acting as clients to other services 13
14. Based on widely used web standards
• OAuth 2.0 Authorization Framework (“OAuth2”)
• OpenID Connect Core 1.0 (“OIDC”)
• Allows use of standard OAuth2 and OIDC libraries
– E.g., Google OAuth Client Libraries (Java, Python, etc.),
Apache mod_auth_openidc
14
15. Globus account
• A Globus account is a set
of identities
– A primary identity
o Identity can be primary of only
one account
– One or more linked identities
o Identity can (currently) be linked
to only one account
• Account does not have
own identifier
– Account is uniquely identified
using its primary identity
15
19. Globus Auth interactions
19
Service
(Resource Server)
Identity
Provider
Authorization Server
(Globus Auth)
App
(Client)
User*
HTTPS/REST call
Login
* “Resource Owner” in OAuth2 terminology
20. Globus Auth interactions
20
Service
(Resource Server)
Identity
Provider
• For a set of scopes
– Login: openid, email, profile
– HTTPS/REST APIs
• User selects identity provider
Authorization Server
(Globus Auth)
App
(Client)
1) Request authorization
User
HTTPS/REST call
Login
21. Globus Auth interactions
21
Service
(Resource Server)
Identity
Provider
• Using existing identities
– E.g., XSEDE, University (via
InCommon), Google, web app
• User can link multiple
identities into a single
Globus Account
• No Globus username
(Globus ID) required
• Globus Auth handles naming
details, e.g., ePPN vs ePTID
Authorization Server
(Globus Auth)
App
(Client)
1) Request authorization
2) Authenticate resource owner
User
HTTPS/REST call
Login
22. Globus Auth interactions
22
Service
(Resource Server)
Identity
Provider
• Resource is provided by a
resource server
• Limited by a scope
consent
Authorization Server
(Globus Auth)
App
(Client)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
User
HTTPS/REST call
Login
23. Globus Auth interactions
23
Service
(Resource Server)
Identity
Provider
App
(Client)
• Some grant types issue
authorization code, which
client exchanges for access
token
• Access token is opaque to
client
• May include a refresh
token, for offline access
access_token
Authorization Server
(Globus Auth)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
User
HTTPS/REST call
Login
24. Globus Auth interactions
24
Service
(Resource Server)
Identity
Provider
App
(Client)
JWT id_token:
• sub: Globus Auth identity id
• iss: https://auth.globus.org
• name: full name
• preferred_username:
e.g., tuecke@uchicago.edu
• email: email contact
• other standard OIDC claims
id_token
Authorization Server
(Globus Auth)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
5) May issue OIDC id_token to client
with resource owner identity
User
HTTPS/REST call
Login
25. Globus Auth interactions
25
Service
(Resource Server)
Authorization Server
(Globus Auth)
Identity
Provider
App
(Client) Authorization:
Bearer <access_token>
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
5) May issue OIDC id_token to client
with resource owner identity
6) HTTPS/REST call with access_token
User
HTTPS/REST call
Login
26. Globus Auth interactions
26
Authorization Server
(Globus Auth)
Identity
Provider
App
(Client)
RFC 7662: OAuth 2.0 Token
Introspection response:
• active: true or false
• client_id
• scope
• sub: Globus Auth identity id
• username: user@myu.edu
• identity_set: linked identities
• email
• name
• other standard claims
access_token
Service
(Resource Server)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
5) May issue OIDC id_token to client
with resource owner identity
6) HTTPS/REST call with access_token
7) Validate access_token for resource server,
obtain additional info
User
HTTPS/REST call
Login
27. Globus Auth interactions
27
• Allows resource server to act as
client to other resource servers
• Service uses request
access_token to get a
dependent access_token for
each dependent service
• Service acts as client to its
dependent services
Service
(Resource Server)
Authorization Server
(Globus Auth)
Identity
Provider
App
(Client)
HTTPS/REST call
User
Dependent Services
(Resource Servers)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
5) May issue OIDC id_token to client
with resource owner identity
6) HTTPS/REST call with access_token
7) Validate access_token for resource server,
obtain additional info
8) Issue dependent access tokens to resource server
Login
Dependent
access_token
28. Log in with Globus
• Use existing identities
(Globus Auth acts as broker)
• Then enable access to
community services
29. Simple APIs enable integration into apps
• Identity and access management PaaS
docs.globus.org/api/auth
• Works with any compliant OAuth2/OIDC client
– We recommend Google OAuth client libraries
– Python, Java, PHP, Javascript, .NET
developers.google.com/api-client/library
• Python client library for Globus Auth REST API
globus.github.io/globus-sdk-python
29
(and Globus
transfer API)
30. Creating a REST API service with Globus Auth
• Outsource all identity management and authentication
– Federated identity with InCommon, Google, etc.
• Outsource your REST API security
– Consent, token issuance, validation, revocation
– You provide service-specific authorization
• Apps use your service like all others
– It is standard OAuth2 and OIDC
• Your service can seamlessly leverage other services
• Other services can leverage your service
• Implement your service using any language and framework 30
31. Typical service interactions
• Service receives HTTPS request with header
– Authorization: Bearer <request-access-token>
• Introspects the request access token
– Auth API: POST /v2/oauth2/token/introspect
– Authorized by client_id and client_secret
– Returns: validity, client, scope, effective_identity, identities_set
• Verifies token info
• Authorizes request
• If service needs to act as client to other services:
– Calls Globus Auth Dependent Token Grant
o Returns a token for each dependent service
– Uses correct dependent token for downstream REST call
• Responds to client HTTPS request as appropriate 31
33. You can find sample code on GitHub
https://github.com/globus/globus-sample-data-portal.git 33
34. Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
34
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login
35. Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus Auth
35
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login
36. Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus Transfer and Sharing
36
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login
37. Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus web helper pages
37
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login
38. Globus web helper pages
Globus-provided web pages designed for use by your
web apps. See https://docs.globus.org/api/helper-pages/
– Browse Endpoint
– Select Group
– Logout
38
39. User identity vs. portal identity
User logging into portal results in portal having user’s
identity and access token
– Used to make requests on the user’s behalf
– Use OAuth2 Authorization Code Grant
– User authenticates using their portal identity
Portal may also need its own identity
– Access and refresh tokens for this identity
– Used to make requests on its own behalf
– Use OAuth2 Client Credentials Grant to authenticate the
portal client identity and secret
39
40. Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
40
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login
41. Adding portal as identity provider
If your portal has identities already:
• Deploy OIDC server in front of it
– Globus Python OIDC (coming soon)
– Any standard OIDC server should work
– Requires claim that can map to username
– Optional claims: name, email, organization
• Can register apps and services with an effective identity
policy
– Requires account to have identity from your identity provider
when logging into your app
41
42. Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
42
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login
43. HTTPS to Endpoints
• Each endpoint HTTPS server is a Globus Auth service
(resource server)
– HTTPS requests authorized via Globus Auth issued OAuth2
access tokens
• Web page can link to file on server
– Browser GET will cause HTTPS server to authorize request via
Globus Auth (note SSO)
• Portal (client) can request scope for endpoint
resource server
– Use access token in requests
43
44. Summary
Globus Auth makes it easy to:
• Add user login to your
applications
• Integrate with Globus,
XSEDE, and other services
• Add OAuth2 support to your
service’s REST API
• Create services that leverage other services
Building on this foundation, we can together create an
integrated ecosystem of research services and applications44
Learn more at globus.org!
Editor's Notes
Talk about the Globus as being part of UChicago + ANL, as well as other context setting about how this work came about and is funded
KC – its probably worth saying that services increasingly want to support external identities.. But there are lots of different implementations, so supporting a range of IDPs is challenging.
KC – While following best practices security implementations, being able to audit usage, identity management workflows (e.g., password reset etc.)
OAuth2: Protect the user/resource owner’s long term credentials while still delegating access
Extensions:
Getting user authenticated
Consented so users are consenting to what tokens are being used for
Issuing tokens
Verifying tokens
Globus Auth is a Foundational service for all of these
In some sense it’s an IdP but think of it more as an Identity Broker
Mission is providing a platform for app/service developers to integrated these capabilities so they can access the growing system of IdPs with just a bit of standard code
Based on common web standards
Means you can use all exiting libraries – we don’t ship a Globus Auth client library; go use the Google library or any other that you like.
Tie this back to Globus Web app by showing them the Globus web UI for Account
Google Docs as analogue
I share with your Google identity and you have immediate access to it (I basically set an ACL on it)
What about when I don’t know which Google account to share with??
Challenge is to get Google into the right context (i.e. authenticate with the right account and then get the sharer to confirm access for that account)
Linked identity set resolves this issue – share with one of my identities and I can access the share if I log in with another identity
No UUID for an account since You will never do things at the account level
Actions use identities, not accounts
KC – I wonder if it would be useful to start with the three interaction models from the poster? And then drill down into this auth grant model?
In OAuth2: APP = Client and SERVICE = Resource Server
Trying to provide login information and get tokens to protect comms with the REST API
First step is redirect to Globus to get a set of scopes
Scopes are a fundamental concept
- e.g. scope can be “I want login information”
Talking to services: talk to a scope; service can have multiple scopes
Example: Groups service (API coming soon)
1 scope is full management scope
2nd scope is things like “tell me groups that user belongs to”; this is a key action for many other actions in the Globus service
So an app only needs to use 2nd scope
“Resource Owner” in this case is the user
To do this we will redirect to an IdP
Then after authentication from IdP Globus gets consent for whatever the app needs to do on your behalf
Access token is the thing that allows the client to protect this REST communication
It’s actually a set of access tokens, one for each scope - limits effect of compromise
May also get an ID token if the client asked for OpenID Connect scopes (openid, email, profile)
Now the client can use the access token by setting an HTTP header with the appropriate token
Everything up to this point is standard OAuth2
BUT, this is where we go a step further...
You can build your own services that use these same mechanisms to authorize access for your own app
Extension (new RFC) allows the Service to introspect the token “is the token valid”? “who is it for”? “who am I talking to”?, etc.
Can go a step further
Suppose the service wants to call another service
We call that a dependent service
E.g. service wants to call Globus Transfer on behalf of the user
Same token will not work – cannot be used anywhere else outside of the service
We have this extension, specific to Globus Auth
Uses access token to call Globus Auth and request dependent access tokens for my downstream dependent scopes
For example transfer can get the scope for Groups and check if user is member of a group before taking some action like allowing access to a shared endpoint
Show the Docs site
Add your service to the science cyberinfrastructure platform
KC – will you have time for this amount of RDP detail?
KC Points to make:
Identity broker, identity federation (account linking), delegated access, standard protocols