Proposal for New Authentication Method for FDSN Web Services
7 views
Skip to first unread message
Javier Quinteros
Mar 28, 2025, 6:55:46 AMMar 28
to Chad Trabant, Marcelo B. de Bianchi, Robert Casey, Jerry Carter, Elisabetta D'Anastasio, Jonathan Hanson, Florian Haslinger, Helle Pedersen, Jonathan Schaeffer, Angelo Strollo, Lesley Wyborn, fdsn-wg3...@fdsn.org
Dear WG3 Chair/Co-Chair and Members,
We are pleased to submit this type A proposal for consideration
regarding a new Authentication method for FDSN web services.
We present a flexible, modern standard of data access that carries with
it the qualities of authentication and authorization which is based on
three main points:
* the support of the proposed authentication scheme for all FDSN web
services,
* the specification of a common JSON Web Token (JWT) for FDSN data centers,
* the establishment of a "trusted relationship" between selected data
centers, allowing users with tokens from one data center to use the
services of other data centers that trust the token issuer.
Full technical specification is provided (in the attached document) and
we expect that future versions of the software packages used by the
seismological community will implement and adopt this new standard in
order to be authenticated (or optionally authorized) by FDSN web services.
The simplicity of using JWT tokens in headers, the ability to apply the
method at all FDSN services, and the technical capability to accept
tokens from other “trusted data centers” make this solution ideal for a
variety of needs.
We do not propose deprecating the current HTTP Basic Digest method, as
such a move would introduce backward compatibility issues. Any potential
deprecation would be contingent upon community adoption of this new
method, and would only be considered once the old method becomes marginal.
We present this proposal as a "Type A" submission (existing feature), as
it leverages the experience gained with authentication over the past
decade and is based on the current implementation used in production at
EarthScope, which is compatible with the initial ORFEUS implementation
starting in 2019, as described in the following paragraphs.
Since 2013, HTTP Digest authentication has been defined and used as the
default authentication method. Since then, FDSN data centers have been
able to enable workflows that require users to authenticate to the
fdsnsws-dataselect service only.
European ORFEUS-EIDA data centers used it to manage user access to
embargoed temporary networks before the release date. The EIDA
Authentication System, introduced in 2019, was a token-based
authentication and authorization system that allowed data centres to
manage user access in two different ways: locally at the data centre or
centrally within a federation, while maintaining compatibility with the
FDSN standards. However, due to the limitations of the digest method, it
required additional steps, resulting in a less intuitive experience for
users[1].
Later, in 2023, EarthScope introduced a similar system based on modern
standards such as OAuth2 and JSON Web Tokens (JWT). This approach allows
data to be accessed anonymously, as defined by the existing
specification, but also includes the option for users to provide
authentication information in the request headers[2].
Recently, in 2024, EarthScope and ORFEUS data centers, prompted by
changing user needs and the need to manage new data types within FDSN
data centers, started discussions to conceive a vision for a federated
data center based on modern cloud-based storage systems, versatile
formats for data and metadata, asynchronous data access, and on-cloud
processing [3]. This vision also highlights the need for an appropriate
modern Authentication Authorization Infrastructure (AAI) to meet the
evolving needs of users and data centers.
The proposal would address the needs of many stakeholders within the
FDSN who require authentication and authorization for their use cases.
For example, data centers such as the CTBTO have expressed the need to
expose data and metadata only to authorized users, with no allowance for
anonymous or unauthorized requests. DAS and other sensitive data may
impose restrictions on metadata while leaving data unrestricted. In
addition, to support a more cloud-based approach, it is important that
users are authenticated to operate seamlessly within the cloud,
integrating datasets and services from federated FDSN data centers.
Also, for some organizations that only provide access to open data, it
is increasingly important to build user profiles (e.g., affiliation,
usage patterns). This can be critical for funding agencies, impact
assessments of datasets or projects, and a deeper understanding of user
needs, ultimately improving the internal statistics and operational
efficiency of each data center.
This proposal also benefits from a long series of bi-weekly meetings
with colleagues involved in discussing common needs regarding user
authentication and authorization in the broader context of the impact of
research data. We believe that this proposed authentication approach
provides a robust and modern solution that will enhance the security and
efficiency of FDSN web services, improve the service provisioning of
FDSN data centers, and facilitate the integrated use of globally
distributed FDSN resources by users.
Thank you for considering this proposal. We look forward to your
feedback and to further discussions.
Sincerely,
The authors,
Javier Quinteros1, Rob Casey2, Jerry Carter2, Elisabetta D’Anastasio3,
Jonathan B. Hanson3, Florian Haslinger4, Helle Pedersen5,6, Jonathan
Schaeffer6, Angelo Strollo1, Lesley Wyborn7
1 GFZ Helmholtz Centre for Geosciences, 2.4 Seismology, Potsdam, Germany
2 EarthScope Consortium
3 GNS Science Te Pū Ao, 1 Fairway Dr., Lower Hutt, WEL, 5011, New Zealand
4 Swiss Seismological Service at ETH Zürich, Sonneggstr. 5, 8092 Zurich,
Switzerland
5 Univ. Grenoble Alpes, Univ. Savoie Mont Blanc, CNRS, IRD, Univ.
Gustave Eiffel, ISTerre, 38000 Grenoble, France
6 Univ. Grenoble Alpes, CNRS, INRAE, IRD, METEO-FRANCE, OSUG, 38000
Grenoble, France
7 AuScope Ltd, Melbourne, Australia, 3053
References:
[1] EIDA Authentication System:
> https://geofon.gfz.de/eas/EIDAAuthenticationService.pdf
[2] EarthScope AAI client:
> https://gitlab.com/earthscope/public/earthscope-cli
[3] Trabant, C, A. Strollo, J. Quinteros, A. Heinloo, P. L. Evans, G.
Sharer, J. Carter, C. Cauzzi, J. Clinton, F. Massin, P. Kästli, P.
Danecek, R. Sleeman, C. P. Evangelidis, N. Horn, J. Schaefer, and H. A.
Pedersen (2024). Towards the next generation of federated seismological
data services, S33C-3327, AGU24. Poster
> https://drive.google.com/file/d/1_CpKf6k3wEPNtIfD5b6uVtHs1tdcFmyS/view?usp=drive_link
--
Javier Quinteros
-------------------------------------------
2.4/Seismologie
Tel.: +49 (0)331-6264-1931
Email: jav...@gfz.de
___________________________________
GFZ Helmholtz-Zentrum für Geoforschung
GFZ Helmholtz Centre for Geosciences
Telegrafenberg, 14473 Potsdam
www.gfz.de
We are pleased to submit this type A proposal for consideration
regarding a new Authentication method for FDSN web services.
We present a flexible, modern standard of data access that carries with
it the qualities of authentication and authorization which is based on
three main points:
* the support of the proposed authentication scheme for all FDSN web
services,
* the specification of a common JSON Web Token (JWT) for FDSN data centers,
* the establishment of a "trusted relationship" between selected data
centers, allowing users with tokens from one data center to use the
services of other data centers that trust the token issuer.
Full technical specification is provided (in the attached document) and
we expect that future versions of the software packages used by the
seismological community will implement and adopt this new standard in
order to be authenticated (or optionally authorized) by FDSN web services.
The simplicity of using JWT tokens in headers, the ability to apply the
method at all FDSN services, and the technical capability to accept
tokens from other “trusted data centers” make this solution ideal for a
variety of needs.
We do not propose deprecating the current HTTP Basic Digest method, as
such a move would introduce backward compatibility issues. Any potential
deprecation would be contingent upon community adoption of this new
method, and would only be considered once the old method becomes marginal.
We present this proposal as a "Type A" submission (existing feature), as
it leverages the experience gained with authentication over the past
decade and is based on the current implementation used in production at
EarthScope, which is compatible with the initial ORFEUS implementation
starting in 2019, as described in the following paragraphs.
Since 2013, HTTP Digest authentication has been defined and used as the
default authentication method. Since then, FDSN data centers have been
able to enable workflows that require users to authenticate to the
fdsnsws-dataselect service only.
European ORFEUS-EIDA data centers used it to manage user access to
embargoed temporary networks before the release date. The EIDA
Authentication System, introduced in 2019, was a token-based
authentication and authorization system that allowed data centres to
manage user access in two different ways: locally at the data centre or
centrally within a federation, while maintaining compatibility with the
FDSN standards. However, due to the limitations of the digest method, it
required additional steps, resulting in a less intuitive experience for
users[1].
Later, in 2023, EarthScope introduced a similar system based on modern
standards such as OAuth2 and JSON Web Tokens (JWT). This approach allows
data to be accessed anonymously, as defined by the existing
specification, but also includes the option for users to provide
authentication information in the request headers[2].
Recently, in 2024, EarthScope and ORFEUS data centers, prompted by
changing user needs and the need to manage new data types within FDSN
data centers, started discussions to conceive a vision for a federated
data center based on modern cloud-based storage systems, versatile
formats for data and metadata, asynchronous data access, and on-cloud
processing [3]. This vision also highlights the need for an appropriate
modern Authentication Authorization Infrastructure (AAI) to meet the
evolving needs of users and data centers.
The proposal would address the needs of many stakeholders within the
FDSN who require authentication and authorization for their use cases.
For example, data centers such as the CTBTO have expressed the need to
expose data and metadata only to authorized users, with no allowance for
anonymous or unauthorized requests. DAS and other sensitive data may
impose restrictions on metadata while leaving data unrestricted. In
addition, to support a more cloud-based approach, it is important that
users are authenticated to operate seamlessly within the cloud,
integrating datasets and services from federated FDSN data centers.
Also, for some organizations that only provide access to open data, it
is increasingly important to build user profiles (e.g., affiliation,
usage patterns). This can be critical for funding agencies, impact
assessments of datasets or projects, and a deeper understanding of user
needs, ultimately improving the internal statistics and operational
efficiency of each data center.
This proposal also benefits from a long series of bi-weekly meetings
with colleagues involved in discussing common needs regarding user
authentication and authorization in the broader context of the impact of
research data. We believe that this proposed authentication approach
provides a robust and modern solution that will enhance the security and
efficiency of FDSN web services, improve the service provisioning of
FDSN data centers, and facilitate the integrated use of globally
distributed FDSN resources by users.
Thank you for considering this proposal. We look forward to your
feedback and to further discussions.
Sincerely,
The authors,
Javier Quinteros1, Rob Casey2, Jerry Carter2, Elisabetta D’Anastasio3,
Jonathan B. Hanson3, Florian Haslinger4, Helle Pedersen5,6, Jonathan
Schaeffer6, Angelo Strollo1, Lesley Wyborn7
1 GFZ Helmholtz Centre for Geosciences, 2.4 Seismology, Potsdam, Germany
2 EarthScope Consortium
3 GNS Science Te Pū Ao, 1 Fairway Dr., Lower Hutt, WEL, 5011, New Zealand
4 Swiss Seismological Service at ETH Zürich, Sonneggstr. 5, 8092 Zurich,
Switzerland
5 Univ. Grenoble Alpes, Univ. Savoie Mont Blanc, CNRS, IRD, Univ.
Gustave Eiffel, ISTerre, 38000 Grenoble, France
6 Univ. Grenoble Alpes, CNRS, INRAE, IRD, METEO-FRANCE, OSUG, 38000
Grenoble, France
7 AuScope Ltd, Melbourne, Australia, 3053
References:
[1] EIDA Authentication System:
> https://geofon.gfz.de/eas/EIDAAuthenticationService.pdf
[2] EarthScope AAI client:
> https://gitlab.com/earthscope/public/earthscope-cli
[3] Trabant, C, A. Strollo, J. Quinteros, A. Heinloo, P. L. Evans, G.
Sharer, J. Carter, C. Cauzzi, J. Clinton, F. Massin, P. Kästli, P.
Danecek, R. Sleeman, C. P. Evangelidis, N. Horn, J. Schaefer, and H. A.
Pedersen (2024). Towards the next generation of federated seismological
data services, S33C-3327, AGU24. Poster
> https://drive.google.com/file/d/1_CpKf6k3wEPNtIfD5b6uVtHs1tdcFmyS/view?usp=drive_link
--
Javier Quinteros
-------------------------------------------
2.4/Seismologie
Tel.: +49 (0)331-6264-1931
Email: jav...@gfz.de
___________________________________
GFZ Helmholtz-Zentrum für Geoforschung
GFZ Helmholtz Centre for Geosciences
Telegrafenberg, 14473 Potsdam
www.gfz.de
Reply all
Reply to author
Forward
0 new messages