Tutorial: Building the Services Ecosystem

Similar documents
Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Building the Modern Research Data Portal. Developer Tutorial

Leveraging the Globus Platform in your Web Applications

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

Using OAuth 2.0 to Access ionbiz APIs

SSH with Globus Auth

OAuth and OpenID Connect (IN PLAIN ENGLISH)

Securing APIs and Microservices with OAuth and OpenID Connect

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Microsoft Graph API Deep Dive

NIELSEN API PORTAL USER REGISTRATION GUIDE

Usage of "OAuth2" policy action in CentraSite and Mediator

Mobile Procurement REST API (MOBPROC): Access Tokens

Aruba Central Application Programming Interface

Identity and Data Access: OpenID & OAuth

Consuming Office 365 REST API. Paolo Pialorsi PiaSys.com

Managing Protected and Controlled Data with Globus. Vas Vasiliadis

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

OAuth 2.0 Incremental Auth

Welcome! Presenters: STFC January 10, 2019

Single Sign-On for PCF. User's Guide

BlackBerry AtHoc Networked Crisis Communication. BlackBerry AtHoc API Quick Start Guide

Integrating with ClearPass HTTP APIs

API Gateway. Version 7.5.1

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Technical Overview. Version March 2018 Author: Vittorio Bertola

OpenID Connect Opens the Door to SAS Viya APIs

GPII Security. Washington DC, November 2015

How to set up VMware Unified Access Gateway with OPSWAT MetaAccess Client

WEB API. Nuki Home Solutions GmbH. Münzgrabenstraße 92/ Graz Austria F

Serverless Single Page Web Apps, Part Four. CSCI 5828: Foundations of Software Engineering Lecture 24 11/10/2016

ovirt SSO Specification

XSEDE Iden ty Management Use Cases

Web Messaging Configuration Guide Document Version: 1.3 May 2018

Partner Center: Secure application model

Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway

Deep Dive on Azure Active Directory for Developers. Jelle Druyts Premier Field Engineer Microsoft Services

Neos Google Analytics Integration

Advanced API Security

Protect Your API with OAuth 2. Rob Allen

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

The OAuth 2.0 Authorization Protocol

Authentication in the Cloud. Stefan Seelmann

NetIQ Access Manager 4.4. REST API Guide

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

[GSoC Proposal] Securing Airavata API

Introducing the New Globus CLI (alpha)

BLACKBERRY SPARK COMMUNICATIONS PLATFORM. Getting Started Workbook

openid connect all the things

THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS

Check to enable generation of refresh tokens when refreshing access tokens

Salesforce External Identity Implementation Guide

Allowing the user to define the attribute release 21 May 2014

INDIGO AAI An overview and status update!

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

Info Input Express Network Edition

OPENID CONNECT 101 WHITE PAPER

The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30

PSD2 AND OPEN BANKING SOLUTION GUIDE

Phase 1 Online Customer Authorization: 3 rd Party Initiated

dcache-view Olufemi S. Adeyemi On behalf of the project team INDIGO DataCloud

NetIQ Access Manager 4.3. REST API Guide

Salesforce External Identity Implementation Guide

Introduction to SciTokens

Box Connector. Version 2.0. User Guide

Administering Jive Mobile Apps

5 OAuth EssEntiAls for APi AccEss control layer7.com

Cloud Access Manager Configuration Guide

Oracle Fusion Middleware. API Gateway OAuth User Guide 11g Release 2 ( )

Standards-based Secure Signon for Cloud and Native Mobile Agents

Gmail Integration for Salesforce and Dynamics 365

for Salesforce Question-to-Case Connector

Oracle Fusion Middleware. Oracle API Gateway OAuth User Guide 11g Release 2 ( )

About 1. Chapter 1: Getting started with odata 2. Remarks 2. Examples 2. Installation or Setup 2. Odata- The Best way to Rest 2

Salesforce External Identity Implementation Guide

Slack Connector. Version 2.0. User Guide

ClickToCall SkypeTest Documentation

Connecting To Twitter & Google+ Using Python

EMS Platform Services Installation & Configuration Guides

Account Activity Migration guide & set up

Using Twitter & Facebook API. INF5750/ Lecture 10 (Part II)

OAuth 2 and Native Apps

Connect. explained. Vladimir Dzhuvinov. :

Release 3.0. Delegated Admin Application Guide

Your Auth is open! Oversharing with OpenAuth & SAML

UMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group

Copyright. Copyright Ping Identity Corporation. All rights reserved. PingAccess Server documentation Version 4.

A RESTful Approach to Identity-based Web Services

Guidelines on non-browser access

What Does Logout Mean?

OAuth2 Autoconfig. Copyright

Single Sign-On Best Practices

Using OpenID/OAuth to access Federated Data Services

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

WP Voting Plugin - Ohiowebtech Video Extension - Youtube Documentation

OAuth securing the insecure

API Application Going Live. Zhuowei Yang

Client Certificates Are Going Away

Azure Archival Installation Guide

Design patterns for data-driven research acceleration

Transcription:

Tutorial: Building the Services Ecosystem GlobusWorld 2018 Steve Tuecke tuecke@globus.org

What is a services ecosystem? Anybody can build services with secure REST APIs App Globus Transfer Your Service Services can leverage other services securely App Your Service Globus Transfer

Why create your own services? Make your specialized capabilities available to your research community as a service Extend your web portal with a public REST API, so that other developers can integrate with and extend it Front-end / back-end within your portal / app Remote backend for portal Backend for pure Javascript browser apps 3

Why Globus Auth for your service? Outsource all identity management and authentication Federated identity with InCommon, Google, etc. Outsource your REST API security Consent, token issuance, validation, revocation You provide service-specific authorization Apps use your service like all others, with standard OAuth2 & OIDC Your service can seamlessly leverage other services Other services can leverage your service Implement your service using any language and framework Add your service to the science services ecosystem 4

Role of Globus Auth for services Issue and check OAuth2 access tokens App Issue access token Access token Globus Auth Globus Transfer Your Service Check access token With a token, your service can get attributes about the user, which it can use to authorize the request

Based on widely used web standards OAuth 2.0 Authorization Framework (a.k.a. OAuth2) OpenID Connect Core 1.0 (a.k.a. OIDC) docs.globus.org/api/auth 6

Fundamental Concepts Scopes: APIs that client is requesting access to Scope syntax: OpenID Connect: openid, email, profile https://auth.globus.org/scopes/<service-name>:<scope-name> A service can have multiple scopes Consents: authorize client to access a service, within limited scope, on the resource owner s (user s) behalf 7

Globus account Globus Account = Primary identity + Linked Identities An identity can be primary on only one account (Currently) Identities can be linked to only one account Account does not have own identifier An account is uniquely identified using its primary identity Effective identity = linked identity from a particular identity provider required by a client or service 8

Identity id vs. username Identity id Unique among all Globus Auth identities; will never be reused UUID Always use this to refer to an identity Identity username Unique at any point in time; may change, may be re-used Case-insensitive user@domain Can map to/from id, for user experience Auth API allows mapping back and forth 9

App registration Client_id and client_secret for service App display name Declare required scopes (optional) Need long-term, offline refresh tokens? May require authorization from scope admin OAuth2 redirect URIs Links for terms of service & privacy policy Effective identity policy (optional) developers.globus.org 10

Authorization Code Grant 1. Access portal 2. Redirects user Portal / App (Client) Browser (User) 4. Authorization token 5. Authenticate using client id and secret, send authorization code 6. Access tokens 3. User authenticates and consents Globus Auth (Authorization Server) 7. Authenticate with access tokens to invoke your service as user Your Service (Resource Server) 11

OAuth2 grants for apps Authorization code grant Native app grant variant Refresh token grants For apps that need long-lived, offline access to a service Client credential grant For app invoking services as itself, instead of as the user

What is a services ecosystem? Anybody can build services with secure REST APIs App Globus Transfer Your Service Services can leverage other services securely App Your Service Globus Transfer

Service registration Client_id and client_secret for service Service display name Validated DNS name for service One or more scopes Who is authorized to use each scope: all client (public API) or specific clients Declare dependent scopes Need long-term, offline refresh tokens? May require authorization from scope admin Links for terms of service & privacy policy Effective identity policy (optional) mailto:support@globus.org 14

Typical service interactions Service receives HTTPS request with header Authorization: Bearer <request-access-token> Introspects the request access token Auth API: POST /v2/oauth2/token/introspect Authorized by client_id and client_secret Returns: active, client_id, scope, sub (identity), identities_set Verifies token info (e.g., active, aud, scope) Authorizes request based on token info (e.g., sub) Service processes request Responds to client HTTPS request 15

Sample Research Data Portal Service Walk-through 16

Authorization based on identity set Use identities_set when authorizing a request based on the resource owner associated with an access token E.g., ACLs on Globus shared endpoints Authorizing based on set of identities is same complexity as authorizing based on group membership set 17

Groups Globus group service is identity set aware Tell me all groups for all identities of the logged in user Services can leverage this for authorization 18

Django REST Framework Use Globus Auth to protect REST APIs in the Django REST Framework Simple enhancements to do token introspection, validation, and map to Django account Contact support@globus.org if you are interested

What is a services ecosystem? Anybody can build services with secure REST APIs App Globus Transfer Your Service Services can leverage other services securely App Your Service Globus Transfer

Dependent tokens Your service can act as client to other services (scopes) Globus Transfer, Search, Identities, Auth Other community services Entire service call tree consented by user and service owners Rescinding consent revokes all dependent tokens Dependent tokens are restricted to a particular client, calling a particular scope, on behalf of a particular resource owner (e.g., user) Restricted delegation! 21

Typical service interactions Service receives HTTPS request with header Introspects the request access token Verifies token info (e.g., active, aud, scope) Authorizes request based on token info (e.g., sub) If service needs to act as client to other services: Calls Globus Auth Dependent Token Grant o Returns a token for each dependent service Uses correct dependent token for downstream REST call Service processes request, including calls to other services Responds to client HTTPS request 22

Refresh tokens For offline service : Service working on your behalf even when you are offline Example use: Globus Transfer service, for async transfers Refresh tokens issued to a particular client for use with a particular scope Client uses refresh token to get access token Client_id and client_secret required Refresh token good for 6 months after last use Consent rescindment revokes resource token 23

Token caching Service should cache tokens and related information Improves performance of service Reduces load on Globus Auth Access token -> introspect response Cache timeout: 1-30 seconds recommended To improve performance and load related to bursty use of REST API Validity: Timeout duration determines responsiveness to token revocation and rescinding consent Access token -> dependent access tokens Cache timeout: lifetime of access token To avoid costly dependent token re-issuance Rescinding consent will invalidate everything Refresh tokens For however long they are needed for specific operations. Keep distinct refresh tokens for each access token. 24

Coming soon to Auth Higher authentication assurance For services with PHI, PII, sensitive but unclassified data Incremental auth Add consents and tokens for new services dynamically Optional scopes Allow user to optionally deny access to a scope, but allow the client to continue functioning with reduced capability

Summary Globus Auth makes it easy to: add OAuth2 support to secure your service s REST API create services to leverage other services Globus enables an integrated ecosystem of services and applications for the research community 26

Support resources Globus documentation: docs.globus.org Community email list: developer-discuss@globus.org Helpdesk and issue escalation: support@globus.org Customer engagement team Globus professional services team Assist with portal/gateway/app architecture and design Develop custom applications that leverage the Globus platform Advise on customized deployment and integration scenarios

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback