The document discusses the process of allowing a user to authorize access to their private S3 bucket via Galaxy Cloud, emphasizing secure user authentication without exposing credentials. It outlines the use of server-to-server communication, token-based authorization, and role-based access control to securely access user data. Additionally, it includes technical details such as OpenID Connect (OIDC) client IDs and tokens used in the authorization flow.

1. User X Galaxy Cloud
Get data from my S3 bucket to my history Give me User X’s bucket
Give me your secrets!
Any middleware Any science gateway
Hey, can you share your secrets with me?

2. Do NOT ask for user’s credentials, because:
• Obtaining credentials demands a degree of familiarity with the
provider, which is usually not intuitive for general users;
• Liability concern for Galaxy to securely store the credentials;
• Provide Galaxy with same level of privileges as the user;
• Stolen credentials can be disabled by manual intervention of the user.

3. Instead:
• User server-to-server communication, and minimize user
interaction/intervention;
• User token-based authentication and authorization;
• Use temporary tokens;
• Use role-based access control.

4. User X Galaxy Cloud
User X has authorized me to access her private bucket
Who are you? Who is User X? What is your authorization?
User X authorized me

5. Who Are You? Who is User X? What is Your Authorization?

6. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Register Galaxy as an OIDC Client
Client ID: 8936 … 8o88f.apps.googleusercontent.com

7. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Give me a proof of User X’s identity
https://accounts.google.com/o/oauth2/auth?
nonce=U9zZAIsacYEB7lJ3FZxO9G3nfzPaIxrl94Vnr5f2WfLMc8KQoG3C2B8LP2IGlwAW&
state=zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB&
redirect_uri=http://localhost:8080/authnz/google/callback&
prompt=consent&
response_type=code&
client_id=8936 … 8o88f.apps.googleusercontent.com&
scope=openid+email+profile+https://www.googleapis.com/auth/user.birthday.read&
access_type=offline

8. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Give me a proof of User X’s identity
User’s Authentication
(who they are)

9. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Give me a proof of User X’s identity
User’s Authorization
(what they allow you to do)

10. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Give me a proof of User X’s identity
Here is your proof
{
"code": "4/NwEDKgZ2GZFbzd … I7xeXhvWEBESoc",
"prompt": "consent",
"state": "zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB",
"session_state": "ccd20afbeec42f7711fb787ebebde0b38ff85255..85bb",
"scope": "email profile openid https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/user.birthday.read",
"authuser": "0"
}

11. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
{
"access_token": "… 129 chars …",
"auth_time": 1556220254,
"expires": 3600,
"id_token": "… 1000 chars …",
"refresh_token": "… 45 chars …",
"token_type": "Bearer"
}
ID token:
- is a JWT
- Contains claims about the authentication of end-user
Access token:
- is not a JWT
- Can be used to request info

12. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Part of a decoded ID token:
Payload
{
"iss": "accounts.google.com",
"azp": "…",
"aud": "8936 ... 8o88f.apps.googleusercontent.com",
"sub": "100813134013939805912",
"email": "jalili.vahid@gmail.com",
"email_verified": true,
"at_hash": "oRKH9-7HUwPJx-OxBSR-TA",
"nonce": "…",
"iat": 1556220253,
"exp": 1556223853
}
{
"access_token": "… 129 chars …",
"auth_time": 1556220254,
"expires": 3600,
"id_token": "… 1000 chars …",
"refresh_token": "… 45 chars …",
"token_type": "Bearer"
}

13. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Part of a decoded ID token:
Payload
{
"iss": "accounts.google.com",
"azp": "…",
"aud": "8936 ... 8o88f.apps.googleusercontent.com",
"sub": "100813134013939805912",
"email": "jalili.vahid@gmail.com",
"email_verified": true,
"at_hash": "oRKH9-7HUwPJx-OxBSR-TA",
"nonce": "…",
"iat": 1556220253,
"exp": 1556223853
}
Authorization Code Grant
flow in nutshell{
"access_token": "… 129 chars …",
"auth_time": 1556220254,
"expires": 3600,
"id_token": "… 1000 chars …",
"refresh_token": "… 45 chars …",
"token_type": "Bearer"
}

14. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/hgmm_100_R2.fastq"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "1.2.3.4"
}
}
}
]
}
AWS IAM
Role Policy
Role ARN

15. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
AWS IAM
Role Trust
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "8936 ... 8o88f.apps.googleusercontent.com"
}
}
}]
}
Role ARN

16. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
https://sts.amazonaws.com/?"
"DurationSeconds=3600&"
"Action=AssumeRoleWithWebIdentity&"
"Version=2011-06-15&"
"RoleSessionName=cloudauthz&"
"RoleArn= Role ARN &"
"WebIdentityToken= ID Token "
Here is my ID and authorization, give
me temporary secrets to access user
X’s private data

17. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets
Here is my ID and authorization, give
me temporary secrets to access user
X’s private data
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
AccessKeyId: ASIA4 … AA2ZE
SecretAccessKey: owi+huRYTTWlL … zujnvKZvS
SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU=
Temporary secrets

18. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets
Here is my ID and authorization, give
me temporary secrets to access user
X’s private data
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
AccessKeyId: ASIA4 … AA2ZE
SecretAccessKey: owi+huRYTTWlL … zujnvKZvS
SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU=
Temporary secrets
Role-Based Access Control
flow in nutshell

20. Thanks
Publication:
- https://www.biorxiv.org/content/10.1101/506238v1
Demo:
- https://galaxyproject.org/authnz/cloud/demo/
Details:
- https://galaxyproject.org/authnz/cloud/
- https://galaxyproject.org/authnz/config/oidc/
- https://galaxyproject.org/authnz/use/oidc/