globus auth: a research identity and access management platform
TRANSCRIPT
Globus Auth: A Research Identity and Access Management Platform
Rachana Ananthakrishnan, Kyle Chard, Ian Foster, Mattias Lidman, Brendan McCollam, Stephen Rosen, Steven TueckeThe University of ChicagoArgonne National Laboratory
S. Tuecke, R. Ananthakrishnan, K. Chard, M. Lidman, B. McCollam, S. Rosen, I. Foster, “Globus Auth: A Research Identity and Access Management Platform,” 12th IEEE International Conference on eScience, October 25, 2016.
2
3
Thank you to our sponsors!U . S . D E PA RT M E N T O F
ENERGY
Researcher initiates transfer request; or requested automatically by script, science gateway
Curator reviews and approves; data set published
on campus or other system
Researcher selects files to
share, selects user or group, and sets
access permissions
Collaborator logs in to access shared
files; no local account needed;
download via Globus
Researcher assembles data set; attaches metadata
(Dublin core, domain-specific)
Peers, collaborators search and discover datasets; transfer and share using Globus
Publication repository
Personal Computer
• Only Web browser required• Use any storage system• Access using any credential 5
1 3
SharePublish
Discover
5
6
6
7
8
Compute facilityGlobus transfers files reliably, securely
2
Transfer
Sequencing centerGlobus controls access to
shared files on existing storage; no need to move
files to cloud storage!
4
www.globus.org
Globus has the best numbers
5 major services
13 national labs
200 PBtransferred
10,000 active endpoints
35 billion
files processed
10,000 active users
50,000 registered users
99.9%uptime
60+institutional subscribers
1 PBlargest single
transfer to date
3 months longest
continuously managed transfer
130 federated
campus identities
7
Globus as a platform
Can we enable researchers to leverage Globus services in their own applications?And, also, extend Globus with other services?
How do we empower the research community to create an integrated ecosystem of services and applications?
8
Dependent Services(Resource Servers)
A world of many services, identities, and more
Service(Resource Server)
App(Client)User
Dependent Services(Resource Servers)
Resourceserver
operator
Identity providers
9
Dependent Services(Resource Servers)
Identity Provider
A world of many services, identities, and more
Service(Resource Server)
Identity Provider
App(Client)
Dependent Services(Resource Servers)
Resourceserver
operator
Common practice today: • Services issue identities
• Hard to use external identities
• Username-password authentication
• Expensive, insecure, non-interoperable
• Poor or no treatment of delegation
User
10
Dependent Services(Resource Servers)
Identity Provider
A world of many services, identities, and more
Service(Resource Server)
Identity Provider
App(Client)
Dependent Services(Resource Servers)
Resourceserver
operator
We need new approaches:• Slash costs of developing
and operating secure services
• Enhance security in complex, rapidly changing world
• Enable interoperability among services
User
11
The authentication and authorization challenge
We need to:• Provide login to apps
– Web, mobile, desktop, command line
• Protect all REST API communications– App Globus service– App non-Globus service– Service service
While:• Not introducing more identities• Providing least privileges security
model• Being agnostic to programming
language and framework• Being web friendly• Making it easy for users and
developers• Following security best practices
12
Abbreviated historical perspectives
• Kerberos• Grid Security Infrastructure, Intl Grid Trust Federation
– Secure authentication, multiple IDPs, delegation
• SAML, InCommon, etc.– Identity management federation, integration with campuses
• Web security infrastructure: OAuth2, OIDC, etc.– OIDC for retrieving user identity and attributes from IDPs– OAuth2 defines an authorization service– We integrate, extend to handle delegation, and apply
13
Globus Auth
• Foundational identity and access management (IAM) platform service
• Simplifies creation and integration of advanced apps and services
• Brokers authentication and authorization interactions between:– End users– Identity providers: InCommon, XSEDE, Google, portals– Services: resource servers with REST APIs– Apps: web, mobile, desktop, command line clients– Services acting as clients to other services
14
Based on widely used web standards
• OAuth 2.0 Authorization Framework (“OAuth2”)
• OpenID Connect Core 1.0 (“OIDC”)
• Allows use of standard OAuth2 and OIDC libraries– E.g., Google OAuth Client Libraries (Java, Python, etc.),
Apache mod_auth_openidc
15
Globus account• A Globus account is a set
of identities– A primary identity
o Identity can be primary of only one account
– One or more linked identitieso Identity can (currently) be linked
to only one account
• Account does not have own identifier– Account is uniquely identified
using its primary identity
16
Globus Auth integration models:(1) Client credentials grant
Third-Party Service(Client)
1. Authenticate (credentials)Globus Auth
(Authorization Server)
2. Access Tokens
Globus Auth integration models:(2) Authentication grant with delegation
17
GlobusTransfer
(Resource Server)
Third-Party Service(Client)
7. Perform Transfer
2. Redirect (Authenticate)
8. Exchange Tokens
4. Auth Code
5. Exchange Code
6. Access Tokens
External Service
1. Access Service
3.Authenticate
Globus Auth(Authorization Server)
9. Tokens
18
Globus Auth integration models:(3) Native app grant
Native App
4. Auth Code
1. Access App 3.Authenticate
2. URL to authenticate
6. Exchange Code
7. Access Tokens
Globus Auth(Authorization Server)
5. Register Code
19
Globus Auth interactions
Service(Resource Server)
Identity Provider
Authorization Server
(Globus Auth)
App(Client)
User*
HTTPS/REST callLogin
* “Resource Owner” in OAuth2 terminology
20
Globus Auth interactions
Service(Resource Server)
Identity Provider
• For a set of scopes– Login: openid, email, profile– HTTPS/REST APIs
• User selects identity provider
Authorization Server
(Globus Auth)
App(Client)
1) Request authorization
User
HTTPS/REST callLogin
21
Globus Auth interactions
Service(Resource Server)
Identity Provider
• Using existing identities– E.g., XSEDE, University (via
InCommon), Google, web app
• User can link multiple identities into a single Globus Account
• No Globus username (Globus ID) required
• Globus Auth handles naming details, e.g., ePPN vs ePTID
Authorization Server
(Globus Auth)
App(Client)
1) Request authorization2) Authenticate resource owner
User
HTTPS/REST callLogin
22
Globus Auth interactions
Service(Resource Server)
Identity Provider
• Resource is provided by a resource server
• Limited by a scope
consent
Authorization Server
(Globus Auth)
App(Client)
1) Request authorization2) Authenticate resource owner3) Obtain authorization (consent)
for client to access a resource
User
HTTPS/REST callLogin
23
Globus Auth interactions
Service(Resource Server)
Identity Provider
App(Client)
• Some grant types issue authorization code, which client exchanges for access token
• Access token is opaque to client
• May include a refresh token, for offline access
access_token
Authorization Server
(Globus Auth)
1) Request authorization2) Authenticate resource owner3) Obtain authorization (consent)
for client to access a resource4) Issue OAuth2 access_token to client
User
HTTPS/REST callLogin
24
Globus Auth interactions
Service(Resource Server)
Identity Provider
App(Client)
JWT id_token:• sub: Globus Auth identity id• iss: https://auth.globus.org• name: full name• preferred_username:
e.g., [email protected]• email: email contact• other standard OIDC claims
id_token
Authorization Server
(Globus Auth)
1) Request authorization2) Authenticate resource owner3) Obtain authorization (consent)
for client to access a resource4) Issue OAuth2 access_token to client5) May issue OIDC id_token to client
with resource owner identity
User
HTTPS/REST callLogin
25
Globus Auth interactions
Service(Resource Server)
Authorization Server
(Globus Auth)
Identity Provider
App(Client) Authorization:
Bearer <access_token>
1) Request authorization2) Authenticate resource owner3) Obtain authorization (consent)
for client to access a resource4) Issue OAuth2 access_token to client5) May issue OIDC id_token to client
with resource owner identity6) HTTPS/REST call with access_token
User
HTTPS/REST callLogin
26
Globus Auth interactions
Authorization Server
(Globus Auth)
Identity Provider
App(Client)
RFC 7662: OAuth 2.0 Token Introspection response:• active: true or false• client_id• scope• sub: Globus Auth identity id• username: [email protected]• identity_set: linked identities• email• name• other standard claims
access_token
Service(Resource Server)
1) Request authorization2) Authenticate resource owner3) Obtain authorization (consent)
for client to access a resource4) Issue OAuth2 access_token to client5) May issue OIDC id_token to client
with resource owner identity6) HTTPS/REST call with access_token7) Validate access_token for resource server,
obtain additional info
User
HTTPS/REST callLogin
27
Globus Auth interactions
• Allows resource server to act as client to other resource servers
• Service uses request access_token to get a dependent access_token for each dependent service
• Service acts as client to its dependent services
Service(Resource Server)
Authorization Server
(Globus Auth)
Identity Provider
App(Client)
HTTPS/REST call
User
Dependent Services(Resource Servers)
1) Request authorization2) Authenticate resource owner3) Obtain authorization (consent)
for client to access a resource4) Issue OAuth2 access_token to client5) May issue OIDC id_token to client
with resource owner identity6) HTTPS/REST call with access_token7) Validate access_token for resource server,
obtain additional info8) Issue dependent access tokens to resource server
Login
Dependentaccess_token
Log in with Globus
• Use existing identities (Globus Auth acts as broker)
• Then enable access to community services
29
Simple APIs enable integration into apps
• Identity and access management PaaS
docs.globus.org/api/auth • Works with any compliant OAuth2/OIDC client
– We recommend Google OAuth client libraries– Python, Java, PHP, Javascript, .NET
developers.google.com/api-client/library • Python client library for Globus Auth REST API
globus.github.io/globus-sdk-python
(and Globus transfer API)
30
Creating a REST API service with Globus Auth• Outsource all identity management and authentication
– Federated identity with InCommon, Google, etc.
• Outsource your REST API security– Consent, token issuance, validation, revocation– You provide service-specific authorization
• Apps use your service like all others– It is standard OAuth2 and OIDC
• Your service can seamlessly leverage other services• Other services can leverage your service• Implement your service using any language and framework
31
Typical service interactions
• Service receives HTTPS request with header– Authorization: Bearer <request-access-token>
• Introspects the request access token– Auth API: POST /v2/oauth2/token/introspect– Authorized by client_id and client_secret– Returns: validity, client, scope, effective_identity, identities_set
• Verifies token info• Authorizes request• If service needs to act as client to other services:
– Calls Globus Auth Dependent Token Granto Returns a token for each dependent service
– Uses correct dependent token for downstream REST call
• Responds to client HTTPS request as appropriate
32
33
You can find sample code on GitHub
https://github.com/globus/globus-sample-data-portal.git
34
Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
Globus Transfer Service
Portal Web Server (Client)
Globus AuthBrowser
User’s Endpoint (optional)
Portal Endpoint
Other Endpoints
HTTPS
GridFTP
REST Other Services
Globus Web Helper Pages
Identity Providers
Identity Providers
Identity Provider
Login
35
Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus Auth
Globus Transfer Service
Portal Web Server (Client)
Globus AuthBrowser
User’s Endpoint (optional)
Portal Endpoint
Other Endpoints
HTTPS
GridFTP
REST Other Services
Globus Web Helper Pages
Identity Providers
Identity Providers
Identity Provider
Login
36
Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus Transfer and Sharing
Globus Transfer Service
Portal Web Server (Client)
Globus AuthBrowser
User’s Endpoint (optional)
Portal Endpoint
Other Endpoints
HTTPS
GridFTP
REST Other Services
Globus Web Helper Pages
Identity Providers
Identity Providers
Identity Provider
Login
37
Desktop
Globus Cloud
Firewall
Science DMZ
Role of Globus web helper pages
Globus Transfer Service
Portal Web Server (Client)
Globus AuthBrowser
User’s Endpoint (optional)
Portal Endpoint
Other Endpoints
HTTPS
GridFTP
REST Other Services
Globus Web Helper Pages
Identity Providers
Identity Providers
Identity Provider
Login
38
Globus web helper pages
Globus-provided web pages designed for use by your web apps. See https://docs.globus.org/api/helper-pages/
– Browse Endpoint– Select Group– Logout
39
User identity vs. portal identityUser logging into portal results in portal having user’s identity and access token
– Used to make requests on the user’s behalf– Use OAuth2 Authorization Code Grant– User authenticates using their portal identity
Portal may also need its own identity– Access and refresh tokens for this identity– Used to make requests on its own behalf– Use OAuth2 Client Credentials Grant to authenticate the portal
client identity and secret
40
Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
Globus Transfer Service
Portal Web Server (Client)
Globus AuthBrowser
User’s Endpoint (optional)
Portal Endpoint
Other Endpoints
HTTPS
GridFTP
REST Other Services
Globus Web Helper Pages
Identity Providers
Identity Providers
Identity Provider
Login
41
Adding portal as identity provider
If your portal has identities already:• Deploy OIDC server in front of it
– Globus Python OIDC (coming soon)– Any standard OIDC server should work– Requires claim that can map to username– Optional claims: name, email, organization
• Can register apps and services with an effective identity policy– Requires account to have identity from your identity provider when
logging into your app
42
Desktop
Globus Cloud
Firewall
Science DMZ
Prototypical research data portal
Globus Transfer Service
Portal Web Server (Client)
Globus AuthBrowser
User’s Endpoint (optional)
Portal Endpoint
Other Endpoints
HTTPS
GridFTP
REST Other Services
Globus Web Helper Pages
Identity Providers
Identity Providers
Identity Provider
Login
43
HTTPS to Endpoints
• Each endpoint HTTPS server is a Globus Auth service (resource server)– HTTPS requests authorized via Globus Auth issued OAuth2
access tokens
• Web page can link to file on server– Browser GET will cause HTTPS server to authorize request via
Globus Auth (note SSO)
• Portal (client) can request scope for endpoint resource server– Use access token in requests
44
SummaryGlobus Auth makes it easy to:• Add user login to your
applications• Integrate with Globus,
XSEDE, and other services• Add OAuth2 support to your
service’s REST API• Create services that leverage other services
Building on this foundation, we can together create an integrated ecosystem of research services and applications
Learn more at globus.org!