Globus Auth: A Research Identity and Access Management Platform

transcript

Rachana Ananthakrishnan, Kyle Chard, Ian Foster, Mattias Lidman, Brendan McCollam, Stephen Rosen, Steven TueckeThe University of ChicagoArgonne National Laboratory

S. Tuecke, R. Ananthakrishnan, K. Chard, M. Lidman, B. McCollam, S. Rosen, I. Foster, “Globus Auth: A Research Identity and Access Management Platform,” 12th IEEE International Conference on eScience, October 25, 2016.

Thank you to our sponsors!U . S . D E PA RT M E N T O F

ENERGY

Researcher initiates transfer request; or requested automatically by script, science gateway

Curator reviews and approves; data set published

on campus or other system

Researcher selects files to

share, selects user or group, and sets

access permissions

Collaborator logs in to access shared

files; no local account needed;

download via Globus

Researcher assembles data set; attaches metadata

(Dublin core, domain-specific)

Peers, collaborators search and discover datasets; transfer and share using Globus

Publication repository

Personal Computer

• Only Web browser required• Use any storage system• Access using any credential 5

SharePublish

Discover

Compute facilityGlobus transfers files reliably, securely

Transfer

Sequencing centerGlobus controls access to

shared files on existing storage; no need to move

files to cloud storage!

www.globus.org

Globus has the best numbers

5 major services

13 national labs

200 PBtransferred

10,000 active endpoints

35 billion

files processed

10,000 active users

50,000 registered users

99.9%uptime

60+institutional subscribers

1 PBlargest single

transfer to date

3 months longest

continuously managed transfer

130 federated

campus identities

Globus as a platform

Can we enable researchers to leverage Globus services in their own applications?And, also, extend Globus with other services?

How do we empower the research community to create an integrated ecosystem of services and applications?

Dependent Services(Resource Servers)

A world of many services, identities, and more

Service(Resource Server)

App(Client)User

Resourceserver

operator

Identity providers

Identity Provider

App(Client)

Resourceserver

operator

Common practice today: • Services issue identities

• Hard to use external identities

• Username-password authentication

• Expensive, insecure, non-interoperable

• Poor or no treatment of delegation

Identity Provider

App(Client)

Resourceserver

operator

We need new approaches:• Slash costs of developing

and operating secure services

• Enhance security in complex, rapidly changing world

• Enable interoperability among services

The authentication and authorization challenge

We need to:• Provide login to apps

– Web, mobile, desktop, command line

• Protect all REST API communications– App Globus service– App non-Globus service– Service service

While:• Not introducing more identities• Providing least privileges security

model• Being agnostic to programming

language and framework• Being web friendly• Making it easy for users and

developers• Following security best practices

Abbreviated historical perspectives

• Kerberos• Grid Security Infrastructure, Intl Grid Trust Federation

– Secure authentication, multiple IDPs, delegation

• SAML, InCommon, etc.– Identity management federation, integration with campuses

• Web security infrastructure: OAuth2, OIDC, etc.– OIDC for retrieving user identity and attributes from IDPs– OAuth2 defines an authorization service– We integrate, extend to handle delegation, and apply

Globus Auth

• Foundational identity and access management (IAM) platform service

• Simplifies creation and integration of advanced apps and services

• Brokers authentication and authorization interactions between:– End users– Identity providers: InCommon, XSEDE, Google, portals– Services: resource servers with REST APIs– Apps: web, mobile, desktop, command line clients– Services acting as clients to other services

Based on widely used web standards

• OAuth 2.0 Authorization Framework (“OAuth2”)

• OpenID Connect Core 1.0 (“OIDC”)

• Allows use of standard OAuth2 and OIDC libraries– E.g., Google OAuth Client Libraries (Java, Python, etc.),

Apache mod_auth_openidc

Globus account• A Globus account is a set

of identities– A primary identity

o Identity can be primary of only one account

– One or more linked identitieso Identity can (currently) be linked

to only one account

• Account does not have own identifier– Account is uniquely identified

using its primary identity

Globus Auth integration models:(1) Client credentials grant

Third-Party Service(Client)

1. Authenticate (credentials)Globus Auth

(Authorization Server)

2. Access Tokens

Globus Auth integration models:(2) Authentication grant with delegation

GlobusTransfer

(Resource Server)

Third-Party Service(Client)

7. Perform Transfer

2. Redirect (Authenticate)

8. Exchange Tokens

4. Auth Code

5. Exchange Code

6. Access Tokens

External Service

1. Access Service

3.Authenticate

Globus Auth(Authorization Server)

9. Tokens

Globus Auth integration models:(3) Native app grant

Native App

4. Auth Code

1. Access App 3.Authenticate

2. URL to authenticate

6. Exchange Code

7. Access Tokens

Globus Auth(Authorization Server)

5. Register Code

Globus Auth interactions

Identity Provider

Authorization Server

(Globus Auth)

App(Client)

HTTPS/REST callLogin

* “Resource Owner” in OAuth2 terminology

Identity Provider

• For a set of scopes– Login: openid, email, profile– HTTPS/REST APIs

• User selects identity provider

(Globus Auth)

App(Client)

1) Request authorization

Identity Provider

• Using existing identities– E.g., XSEDE, University (via

InCommon), Google, web app

• User can link multiple identities into a single Globus Account

• No Globus username (Globus ID) required

• Globus Auth handles naming details, e.g., ePPN vs ePTID

(Globus Auth)

App(Client)

1) Request authorization2) Authenticate resource owner

Identity Provider

• Resource is provided by a resource server

• Limited by a scope

consent

(Globus Auth)

App(Client)

1) Request authorization2) Authenticate resource owner3) Obtain authorization (consent)

for client to access a resource

Identity Provider

App(Client)

• Some grant types issue authorization code, which client exchanges for access token

• Access token is opaque to client

• May include a refresh token, for offline access

access_token

(Globus Auth)

for client to access a resource4) Issue OAuth2 access_token to client

Identity Provider

App(Client)

JWT id_token:• sub: Globus Auth identity id• iss: https://auth.globus.org• name: full name• preferred_username:

e.g., tuecke@uchicago.edu• email: email contact• other standard OIDC claims

id_token

(Globus Auth)

for client to access a resource4) Issue OAuth2 access_token to client5) May issue OIDC id_token to client

with resource owner identity

(Globus Auth)

Identity Provider

App(Client) Authorization:

Bearer <access_token>

with resource owner identity6) HTTPS/REST call with access_token

(Globus Auth)

Identity Provider

App(Client)

RFC 7662: OAuth 2.0 Token Introspection response:• active: true or false• client_id• scope• sub: Globus Auth identity id• username: user@myu.edu• identity_set: linked identities• email• name• other standard claims

access_token

with resource owner identity6) HTTPS/REST call with access_token7) Validate access_token for resource server,

obtain additional info

• Allows resource server to act as client to other resource servers

• Service uses request access_token to get a dependent access_token for each dependent service

• Service acts as client to its dependent services

(Globus Auth)

Identity Provider

App(Client)

HTTPS/REST call

with resource owner identity6) HTTPS/REST call with access_token7) Validate access_token for resource server,

obtain additional info8) Issue dependent access tokens to resource server

Dependentaccess_token

Log in with Globus

• Use existing identities (Globus Auth acts as broker)

• Then enable access to community services

Simple APIs enable integration into apps

• Identity and access management PaaS

docs.globus.org/api/auth • Works with any compliant OAuth2/OIDC client

– We recommend Google OAuth client libraries– Python, Java, PHP, Javascript, .NET

developers.google.com/api-client/library • Python client library for Globus Auth REST API

globus.github.io/globus-sdk-python

(and Globus transfer API)

Creating a REST API service with Globus Auth• Outsource all identity management and authentication

– Federated identity with InCommon, Google, etc.

• Outsource your REST API security– Consent, token issuance, validation, revocation– You provide service-specific authorization

• Apps use your service like all others– It is standard OAuth2 and OIDC

• Your service can seamlessly leverage other services• Other services can leverage your service• Implement your service using any language and framework

Typical service interactions

• Service receives HTTPS request with header– Authorization: Bearer <request-access-token>

• Introspects the request access token– Auth API: POST /v2/oauth2/token/introspect– Authorized by client_id and client_secret– Returns: validity, client, scope, effective_identity, identities_set

• Verifies token info• Authorizes request• If service needs to act as client to other services:

– Calls Globus Auth Dependent Token Granto Returns a token for each dependent service

– Uses correct dependent token for downstream REST call

• Responds to client HTTPS request as appropriate

You can find sample code on GitHub

https://github.com/globus/globus-sample-data-portal.git

Desktop

Globus Cloud

Firewall

Science DMZ

Prototypical research data portal

Globus Transfer Service

Portal Web Server (Client)

Globus AuthBrowser

User’s Endpoint (optional)

Portal Endpoint

Other Endpoints

GridFTP

REST Other Services

Globus Web Helper Pages

Identity Providers

Identity Provider

Desktop

Globus Cloud

Firewall

Science DMZ

Role of Globus Auth

Globus AuthBrowser

Portal Endpoint

Other Endpoints

GridFTP

REST Other Services

Identity Providers

Identity Provider

Desktop

Globus Cloud

Firewall

Science DMZ

Role of Globus Transfer and Sharing

Globus AuthBrowser

Portal Endpoint

Other Endpoints

GridFTP

REST Other Services

Identity Providers

Identity Provider

Desktop

Globus Cloud

Firewall

Science DMZ

Role of Globus web helper pages

Globus AuthBrowser

Portal Endpoint

Other Endpoints

GridFTP

REST Other Services

Identity Providers

Identity Provider

Globus web helper pages

Globus-provided web pages designed for use by your web apps. See https://docs.globus.org/api/helper-pages/

– Browse Endpoint– Select Group– Logout

User identity vs. portal identityUser logging into portal results in portal having user’s identity and access token

– Used to make requests on the user’s behalf– Use OAuth2 Authorization Code Grant– User authenticates using their portal identity

Portal may also need its own identity– Access and refresh tokens for this identity– Used to make requests on its own behalf– Use OAuth2 Client Credentials Grant to authenticate the portal

client identity and secret

Desktop

Globus Cloud

Firewall

Science DMZ

Globus AuthBrowser

Portal Endpoint

Other Endpoints

GridFTP

REST Other Services

Identity Providers

Identity Provider

Adding portal as identity provider

If your portal has identities already:• Deploy OIDC server in front of it

– Globus Python OIDC (coming soon)– Any standard OIDC server should work– Requires claim that can map to username– Optional claims: name, email, organization

• Can register apps and services with an effective identity policy– Requires account to have identity from your identity provider when

logging into your app

Desktop

Globus Cloud

Firewall

Science DMZ

Globus AuthBrowser

Portal Endpoint

Other Endpoints

GridFTP

REST Other Services

Identity Providers

Identity Provider

HTTPS to Endpoints

• Each endpoint HTTPS server is a Globus Auth service (resource server)– HTTPS requests authorized via Globus Auth issued OAuth2

access tokens

• Web page can link to file on server– Browser GET will cause HTTPS server to authorize request via

Globus Auth (note SSO)

• Portal (client) can request scope for endpoint resource server– Use access token in requests

SummaryGlobus Auth makes it easy to:• Add user login to your

applications• Integrate with Globus,

XSEDE, and other services• Add OAuth2 support to your

service’s REST API• Create services that leverage other services

Building on this foundation, we can together create an integrated ecosystem of research services and applications

Learn more at globus.org!

Globus Auth: A Research Identity and Access Management Platform

Technology