Globus Auth is a foundational identity and access management platform service designed to address unique needs of the science and engineering community. It serves to broker authentication and authorization interactions between end-users, identity providers, resource servers (services), and clients (includ- ing web, mobile, desktop, and command line applications, and other services). Globus Auth thus makes it easy, for example, for a researcher to authenticate with one credential, connect to a specific remote storage resource with another identity, and share data with colleagues based on another identity. By eliminating friction associated with the frequent need for multiple accounts, identities, credentials, and groups when using distributed cyber- infrastructure, Globus Auth streamlines the creation, integration, and use of advanced research applications and services. Globus Auth builds upon the OAuth 2 and OpenID Connect specifications to enable standards-compliant integration using existing client libraries. It supports identity federation models that enable diverse identities to be linked together, while also providing delegated access tokens via which client services can obtain short term delegated tokens to access other services. We describe the design and implementation of Globus Auth, and report on experiences integrating it with a range of research resources and services, including the JetStream cloud, XSEDE, NCAR’s Research Data Archive, and FaceBase.

1. Globus Auth: A Research Identity and
Access Management Platform
Rachana Ananthakrishnan, Kyle Chard,
Ian Foster, Mattias Lidman, Brendan McCollam,
Stephen Rosen, Steven Tuecke
The University of Chicago
Argonne National Laboratory
S. Tuecke, R. Ananthakrishnan, K. Chard, M. Lidman, B. McCollam, S. Rosen, I. Foster, “Globus Auth: A Research
Identity and Access Management Platform,” 12th IEEE International Conference on eScience, October 25, 2016.

2. 2

3. Thank you to our sponsors!
3
U . S . D E P A R T M E N T O F
ENERGY

5. Researcher
initiates transfer
request; or requested
automatically by script,
science gateway
Curator reviews and
approves; data set published
on campus or other system
Researcher
selects files to
share, selects user
or group, and sets
access permissions
Collaborator logs in
to access shared
files; no local
account needed;
download via
Globus
Researcher
assembles data set;
attaches metadata
(Dublin core,
domain-specific)
Peers, collaborators
search and discover
datasets; transfer and
share using Globus
Publication
repository
Personal Computer
• Only Web browser required
• Use any storage system
• Access using any credential 5
1 3
Share
Publish
Discover
5
6
6
7
8
Compute facilityGlobus transfers
files reliably,
securely
2
Transfer
Sequencing center
Globus controls access to
shared files on existing
storage; no need to move
files to cloud storage!
4
www.globus.org

6. Globus has the best numbers
5
major services
13
national labs
200 PB
transferred
10,000
active endpoints
35 billion
files processed
10,000
active users
50,000
registered users
99.9%
uptime
60+
institutional
subscribers
1 PB
largest single
transfer to date
3 months
longest
continuously
managed transfer
130
federated
campus identities

7. Globus as a platform
Can we enable researchers to leverage Globus services
in their own applications?
And, also, extend Globus with other services?
How do we empower the research community to create
an integrated ecosystem of services and applications?
7

8. Dependent Services
(Resource Servers)
A world of many services, identities, and more
8
Service
(Resource Server)
App
(Client)User
Dependent Services
(Resource Servers)
Resource
server
operator
Identity providers

9. Dependent Services
(Resource Servers)
Identity
Provider
A world of many services, identities, and more
9
Service
(Resource Server)
Identity
Provider
App
(Client)
Dependent Services
(Resource Servers)
Resource
server
operator
Common practice today:
• Services issue identities
• Hard to use external identities
• Username-password authentication
• Expensive, insecure, non-interoperable
• Poor or no treatment of delegation
User

10. Dependent Services
(Resource Servers)
Identity
Provider
A world of many services, identities, and more
10
Service
(Resource Server)
Identity
Provider
App
(Client)
Dependent Services
(Resource Servers)
Resource
server
operator
We need new approaches:
• Slash costs of developing
and operating secure services
• Enhance security in complex,
rapidly changing world
• Enable interoperability among services
User

11. The authentication and authorization challenge
We need to:
• Provide login to apps
– Web, mobile, desktop,
command line
• Protect all REST API
communications
– App  Globus service
– App  non-Globus service
– Service  service
11
While:
• Not introducing more identities
• Providing least privileges security
model
• Being agnostic to programming
language and framework
• Being web friendly
• Making it easy for users and
developers
• Following security best practices

12. Abbreviated historical perspectives
• Kerberos
• Grid Security Infrastructure, Intl Grid Trust Federation
– Secure authentication, multiple IDPs, delegation
• SAML, InCommon, etc.
– Identity management federation, integration with campuses
• Web security infrastructure: OAuth2, OIDC, etc.
– OIDC for retrieving user identity and attributes from IDPs
– OAuth2 defines an authorization service
– We integrate, extend to handle delegation, and apply
12

13. Globus Auth
• Foundational identity and access management (IAM) platform
service
• Simplifies creation and integration of advanced apps and
services
• Brokers authentication and authorization interactions
between:
– End users
– Identity providers: InCommon, XSEDE, Google, portals
– Services: resource servers with REST APIs
– Apps: web, mobile, desktop, command line clients
– Services acting as clients to other services 13

14. Based on widely used web standards
• OAuth 2.0 Authorization Framework (“OAuth2”)
• OpenID Connect Core 1.0 (“OIDC”)
• Allows use of standard OAuth2 and OIDC libraries
– E.g., Google OAuth Client Libraries (Java, Python, etc.),
Apache mod_auth_openidc
14

15. Globus account
• A Globus account is a set
of identities
– A primary identity
o Identity can be primary of only
one account
– One or more linked identities
o Identity can (currently) be linked
to only one account
• Account does not have
own identifier
– Account is uniquely identified
using its primary identity
15

16. Globus Auth integration models:
(1) Client credentials grant
16
Third-Party
Service
(Client)
1. Authenticate (credentials)
Globus Auth
(Authorization Server)
2. Access Tokens

17. Globus Auth integration models:
(2) Authentication grant with delegation
17
Globus
Transfer
(Resource Server)
Third-Party
Service
(Client)
2. Redirect (Authenticate)
4. Auth Code
5. Exchange Code
6. Access
Tokens
External
Service
3.Authenticate
Globus Auth
(Authorization Server)

18. Globus Auth integration models:
(3) Native app grant
18
Native App
4. Auth Code
3.Authenticate
6. Exchange Code
7. Access
Tokens
Globus Auth
(Authorization Server)

19. Globus Auth interactions
19
Service
(Resource Server)
Identity
Provider
Authorization Server
(Globus Auth)
App
(Client)
User*
HTTPS/REST call
Login
* “Resource Owner” in OAuth2 terminology

20. Globus Auth interactions
20
Service
(Resource Server)
Identity
Provider
• For a set of scopes
– Login: openid, email, profile
– HTTPS/REST APIs
• User selects identity provider
Authorization Server
(Globus Auth)
App
(Client)
1) Request authorization
User
HTTPS/REST call
Login

21. Globus Auth interactions
21
Service
(Resource Server)
Identity
Provider
• Using existing identities
– E.g., XSEDE, University (via
InCommon), Google, web app
• User can link multiple
identities into a single
Globus Account
• No Globus username
(Globus ID) required
• Globus Auth handles naming
details, e.g., ePPN vs ePTID
Authorization Server
(Globus Auth)
App
(Client)
1) Request authorization
2) Authenticate resource owner
User
HTTPS/REST call
Login

22. Globus Auth interactions
22
Service
(Resource Server)
Identity
Provider
• Resource is provided by a
resource server
• Limited by a scope
consent
Authorization Server
(Globus Auth)
App
(Client)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
User
HTTPS/REST call
Login

23. Globus Auth interactions
23
Service
(Resource Server)
Identity
Provider
App
(Client)
• Some grant types issue
authorization code, which
client exchanges for access
token
• Access token is opaque to
client
• May include a refresh
token, for offline access
access_token
Authorization Server
(Globus Auth)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
User
HTTPS/REST call
Login

24. Globus Auth interactions
24
Service
(Resource Server)
Identity
Provider
App
(Client)
JWT id_token:
• sub: Globus Auth identity id
• iss: https://auth.globus.org
• name: full name
• preferred_username:
e.g., tuecke@uchicago.edu
• email: email contact
• other standard OIDC claims
id_token
Authorization Server
(Globus Auth)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
5) May issue OIDC id_token to client
with resource owner identity
User
HTTPS/REST call
Login

25. Globus Auth interactions
25
Service
(Resource Server)
Authorization Server
(Globus Auth)
Identity
Provider
App
(Client) Authorization:
Bearer <access_token>
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
5) May issue OIDC id_token to client
with resource owner identity
6) HTTPS/REST call with access_token
User
HTTPS/REST call
Login

26. Globus Auth interactions
26
Authorization Server
(Globus Auth)
Identity
Provider
App
(Client)
RFC 7662: OAuth 2.0 Token
Introspection response:
• active: true or false
• client_id
• scope
• sub: Globus Auth identity id
• username: user@myu.edu
• identity_set: linked identities
• email
• name
• other standard claims
access_token
Service
(Resource Server)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
5) May issue OIDC id_token to client
with resource owner identity
6) HTTPS/REST call with access_token
7) Validate access_token for resource server,
obtain additional info
User
HTTPS/REST call
Login

27. Globus Auth interactions
27
• Allows resource server to act as
client to other resource servers
• Service uses request
access_token to get a
dependent access_token for
each dependent service
• Service acts as client to its
dependent services
Service
(Resource Server)
Authorization Server
(Globus Auth)
Identity
Provider
App
(Client)
HTTPS/REST call
User
Dependent Services
(Resource Servers)
1) Request authorization
2) Authenticate resource owner
3) Obtain authorization (consent)
for client to access a resource
4) Issue OAuth2 access_token to client
5) May issue OIDC id_token to client
with resource owner identity
6) HTTPS/REST call with access_token
7) Validate access_token for resource server,
obtain additional info
8) Issue dependent access tokens to resource server
Login
Dependent
access_token

28. Log in with Globus
• Use existing identities
(Globus Auth acts as broker)
• Then enable access to
community services

29. Simple APIs enable integration into apps
• Identity and access management PaaS
docs.globus.org/api/auth
• Works with any compliant OAuth2/OIDC client
– We recommend Google OAuth client libraries
– Python, Java, PHP, Javascript, .NET
developers.google.com/api-client/library
• Python client library for Globus Auth REST API
globus.github.io/globus-sdk-python
29
(and Globus
transfer API)

30. Creating a REST API service with Globus Auth
• Outsource all identity management and authentication
– Federated identity with InCommon, Google, etc.
• Outsource your REST API security
– Consent, token issuance, validation, revocation
– You provide service-specific authorization
• Apps use your service like all others
– It is standard OAuth2 and OIDC
• Your service can seamlessly leverage other services
• Other services can leverage your service
• Implement your service using any language and framework 30

31. Typical service interactions
• Service receives HTTPS request with header
– Authorization: Bearer <request-access-token>
• Introspects the request access token
– Auth API: POST /v2/oauth2/token/introspect
– Authorized by client_id and client_secret
– Returns: validity, client, scope, effective_identity, identities_set
• Verifies token info
• Authorizes request
• If service needs to act as client to other services:
– Calls Globus Auth Dependent Token Grant
o Returns a token for each dependent service
– Uses correct dependent token for downstream REST call
• Responds to client HTTPS request as appropriate 31

32. 32

33. You can find sample code on GitHub
https://github.com/globus/globus-sample-data-portal.git 33

34. Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
34
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login

35. Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus Auth
35
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login

36. Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus Transfer and Sharing
36
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login

37. Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus web helper pages
37
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login

38. Globus web helper pages
Globus-provided web pages designed for use by your
web apps. See https://docs.globus.org/api/helper-pages/
– Browse Endpoint
– Select Group
– Logout
38

39. User identity vs. portal identity
User logging into portal results in portal having user’s
identity and access token
– Used to make requests on the user’s behalf
– Use OAuth2 Authorization Code Grant
– User authenticates using their portal identity
Portal may also need its own identity
– Access and refresh tokens for this identity
– Used to make requests on its own behalf
– Use OAuth2 Client Credentials Grant to authenticate the
portal client identity and secret
39

40. Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
40
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login

41. Adding portal as identity provider
If your portal has identities already:
• Deploy OIDC server in front of it
– Globus Python OIDC (coming soon)
– Any standard OIDC server should work
– Requires claim that can map to username
– Optional claims: name, email, organization
• Can register apps and services with an effective identity
policy
– Requires account to have identity from your identity provider
when logging into your app
41

42. Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
42
Globus
Transfer
Service
Portal Web
Server (Client)
Globus AuthBrowser
User’s
Endpoint
(optional)
Portal
Endpoint
Other
Endpoints
HTTPS
GridFTP
REST Other
Services
Globus Web
Helper Pages
Identity
Providers
Identity
Providers
Identity
Provider
Login

43. HTTPS to Endpoints
• Each endpoint HTTPS server is a Globus Auth service
(resource server)
– HTTPS requests authorized via Globus Auth issued OAuth2
access tokens
• Web page can link to file on server
– Browser GET will cause HTTPS server to authorize request via
Globus Auth (note SSO)
• Portal (client) can request scope for endpoint
resource server
– Use access token in requests
43

44. Summary
Globus Auth makes it easy to:
• Add user login to your
applications
• Integrate with Globus,
XSEDE, and other services
• Add OAuth2 support to your
service’s REST API
• Create services that leverage other services
Building on this foundation, we can together create an
integrated ecosystem of research services and applications44
Learn more at globus.org!