Client Credentials Authentication

[Dylan McReynolds]

Hello,

I am trying to build a python application that uses Client Credentials flow. I have not had success listing files in an endpoint that I can list in the browser application.

As a simplified example, I am following the guide here: https://globus-sdk-python.readthedocs.io/en/stable/examples/client_credentials.html#using-clientcredentialsauthorizer

In the endpoint search at the end, do not see any endpoints, using a variety of filter_scopes. I would expect to see the same endpoints as the equivalent lists in the browser UI.

It feels like the application is not really linking to my globus identity. I am suspicious that I am missing something about Consents. If I browse to  this page:https://auth.globus.org/v2/web/consents, I do not see an entry for my app.

How do I grant "consent" for a new application?

Thanks.

[Wagner, Richard]

Hi Dylan,

The confidential client application that you registered doesn’t inherit any permissions or roles based on your Globus identity. The client has its own identity, so any tokens are issued to it, and wouldn’t show up under your account. I’m not even sure consents apply to confidential clients in this use case, since they’re handling their own tokens, and not a user’s tokens.

My guess is that your code and application are probably fine, but you're not seeing any output from the example because the client doesn’t own or manage any collections. Try broadening the Transfer client’s search, like so:

for ep in tc.endpoint_search('tutorial'):
print("[{}] {}".format(ep["id"], ep["display_name"]))

If things are working you should get a list of a couple dozen endpoints.

—Rick

> --
> You received this message because you are subscribed to the Google Groups "Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.

[Dylan McReynolds]

Rick,

Thanks for the quick reply! You are correct, that new search did come up with a large number of endpoints. So, now I know that I'm connecting to my app. I was assuming the wrong problem.

So, now to the real problem. I am trying to list directories in a particular endpoint that I can list from the browser app, but not from within my confidential client:

confidential_client = globus_sdk.ConfidentialAppAuthClient(

client_id= omitted,

client_secret= omitted)

scopes = ("urn:globus:auth:scope:transfer.api.globus.org:all")

cc_authorizer = globus_sdk.ClientCredentialsAuthorizer(confidential_client, scopes)

transfer_client = globus_sdk.TransferClient(authorizer=cc_authorizer)

endpoint = transfer_client.endpoint_search(<endpoint name>)[0]

endpoint_id = endpoint['id']

for thing in transfer_client.operation_ls(endpoint_id):

print(thing)

This fails with the error at operation_ls line with:

globus_sdk.exc.TransferAPIError: (403, 'ConsentRequired', 'Missing required data_access consent'...)

[Wagner, Richard]

Hi Dylan,

You may be working with a Globus collection that requires a more specific scope than the generic transfer one. Take a look at this portion of the Globus Transfer API documentation:

https://docs.globus.org/api/transfer/overview/#consent_required

The next change to your may be adding that explicit collection scope to your token request.

—Rick 

On Mar 11, 2022, at 6:31 PM, Dylan McReynolds <dmcre...@lbl.gov> wrote:



[Dylan McReynolds]

Richard,

Thanks again. I have tried that and it gets me a step closer. Now I get"

"http_response_code": 403, "message": "None of your identities are from domains allowed by resource policies"

In that message, I see:

530-GridFTP-Message: None of your identities are from domains allowed by resource policies

"detail": {"DATA_TYPE": "not_from_allowed_domain#1.0.0", "allowed_domains": [<url of endpoint that I'm trying to access>]}

But again, when logging in through the browser, I can list and perform transfers from the collection. Again, leading to suspect that there is something about the non-native app that I created that is not working.

Again, thanks for your help!

[Karl Kornel]

Hi Dylan, good afternoon!

 

I have a feeling I know what your problem is, and it has to do with the domain of the confidential client’s identity.

 

Your underlying storage gateway probably has something like this:

 

[root@cfxs2600gz-rcf-114-06 ~]# globus-connect-server storage-gateway show STORAGE_GATEWAY_UUID

…… snip ……

Allowed Domains:        ['stanford.edu']

 

The domains were set by the --domain option when the storage gateway was created (see https://docs.globus.org/globus-connect-server/v5.4/reference/storage-gateway/create/).  In the case of my storage gateway, the allowed domain is “stanford.edu”.

 

Storage gateways need to be able to map a Globus Identity username (which takes the form of user...@some.domain) to a local username.  As per the Identity Mapping Guide (https://docs.globus.org/globus-connect-server/v5.4/identity-mapping-guide/), the easiest thing is to match against an allowed domain, remove everything at & after the @-sign, and use the result as the username.

 

Since you are using a confidential client, your client has its own username.  If you check on the Globus Developers web site, you should see that your client has a client identity username of the form “CLIE...@clients.auth.globus.org”.  It’s unlikely that ‘clients.auth.globus.org’ is an allowed domain on your storage gateway, and even if it was, your client ID is probably not used as a local username.

 

So, what is the fix?  Well, I have two ideas, though I’ve never tested either idea myself.

 

The first, would be to make a guest collection, and give your confidential client access to that.

 

The second would be to leverage a custom identity mapping.  Section 2 of the Identity Mapping Guide shows how you can make a JSON file consisting of a list of mappings.  You could have a list of mappings consisting of an identity username mapping (Section 2.1) to cover normal people, and an application-identity mapping (Section 2.3) for your confidential client.

 

If you don’t want to mess with your existing storage gateway, then maybe you could just make another one?  You could make a new POSIX storage gateway, just for Globus Apps, which uses the custom identity mapping with only application-identity mappings.

 

Again, these are all guesses, as I haven’t tried it myself.  But I think one of those solutions will do what you want!

 

~ Karl

[Dylan McReynolds]

Karl,

Thanks for your ideas, I think you're onto it. I'm trying  the first suggestion, making a guest collection and giving my app access. I assume you were suggesting that I add a permission to the collection via the "Add Permissions -- Share With" dialog? Unfortunately, I can't find my app when searching under "User". Did I understand your suggestion correctly?

Thanks,

Dylan

[Karl Kornel]

Hi Dylan,

 

Yes, I was suggesting the “Add Permission” page.

 

I just tried this, with a confidential client of my own, and a guest collection I had lying around.  I was able to add the confidential client’s identity username.  I did not try searching by name, I just copy/pasted the client identity username, and it showed up like in the attached picture.

 

~ Karl

[Dylan McReynolds]

Karl,

> I  was able to add the confidential client’s identity username.  I did not try searching by name, I just copy/pasted the client identity username, and it showed up like in the attached picture.

Very odd. The UI won't accept mine, and the "Add" button never enables. Hrmmm.  I'll try your second option.

Thanks from across the Bay!

[Dylan McReynolds]

Sorry for the spam, but I just want to report for posterity that I finally got it to work with by pasting in the full identity of client app: <unique id>@clients.auth.globus.or. Many thanks for people's help. Happy transfering to all.

Dylan