Globus Auth vs SciTokens

20 views
Skip to first unread message

Engin Arslan

unread,
Nov 26, 2021, 11:23:37 PM11/26/21
to SciAuth Discussion
Hi team,

I came across Globus Auth paper [1] , which presents a complete  IAM, authn/authz services for third party clients. Globus Auth appears to support many auth implementations including OAuth2 + OpenID Connect (JWT based), which is the main focus of SciTokens project as far as i understand. So, my question is about the differences between SciAuth implementation of OAuth + JWT and Globus implementation of OAuth2 + openID Connect. Are there any technical differences in terms of steps to issue tokens and format of tokens? 


Basney, Jim

unread,
Nov 27, 2021, 9:47:50 AM11/27/21
to Engin Arslan, SciAuth Discussion
Hi Engin,

Globus and SciTokens both use OAuth for token issuance. Globus issues opaque access_tokens whereas access_tokens in SciTokens are JWTs. Globus id_tokens are JWTs (per the OIDC specification) whereas SciTokens does not issue id_tokens or implement OIDC.

The Related Work sections of the following SciTokens papers enumerate additional differences:

* https://doi.org/10.1145/3219104.3219135
* https://doi.org/10.1145/3311790.3399613

In the context of your question, I think the most important difference is that SciTokens is not an identity management system. Unlike Globus, SciTokens does not implement OIDC or issue id_tokens. SciTokens is a distributed authorization system. SciTokens does not specify how the OAuth Authorization Server verifies the identity of the resource owner. The SciTokens server can be configured to use mod_auth_openidc or mod_shibboleth or some other authentication method for resource owner identification.

The good news for cyberinfrastructure interoperability and sustainability is the broad agreement on the use of OAuth.

Regards,
Jim
________________________________________
From: Engin Arslan <ear...@unr.edu>
Sent: Friday, November 26, 2021 10:23 PM
To: SciAuth Discussion
Subject: Globus Auth vs SciTokens

Engin Arslan

unread,
Nov 27, 2021, 5:56:33 PM11/27/21
to SciAuth Discussion, jba...@illinois.edu, SciAuth Discussion
Hi Jim,

Yes it makes perfect sense. Just to verify, SciTokens do not require token verification by resource servers as resource servers can verify the integrity of the tokens independently, is that correct? If so, this poses a risk of stolen token to be used by any client as the token itself is valid and resource servers do not need further verification by authorization servers, right?

Basney, Jim

unread,
Nov 27, 2021, 7:23:38 PM11/27/21
to Engin Arslan, SciAuth Discussion
Right, distributed token verification by resource servers, rather than centralized token verification by authorization servers, is fundamental to the SciTokens model, to meet the requirements of our distributed scientific cyberinfrastructure ecosystem.

To quote https://doi.org/10.17487/RFC9068 - "many commercial OAuth 2.0 implementations elected to issue access tokens using a format that can be parsed and validated by resource servers directly, without further authorization server involvement. The approach is particularly common in topologies where the authorization server and resource server are not co-located, are not run by the same entity, or are otherwise separated by some boundary."

Regards,
Jim
________________________________________
From: Engin Arslan <ear...@unr.edu>

Sent: Saturday, November 27, 2021 4:56 PM
To: SciAuth Discussion
Cc: Basney, Jim; SciAuth Discussion
Subject: Re: Globus Auth vs SciTokens

Engin Arslan

unread,
Nov 27, 2021, 10:40:57 PM11/27/21
to SciAuth Discussion, jba...@illinois.edu, SciAuth Discussion
I see,  is there any mechanism to protect the tokens in SciTokens architecture? I see that SciTokens rely on encryption methods that ssh implements to protect the communication between ssh client and server in SciTokens SSH project, so wondering if there is any similar (e.g., encryption) method being implemented/suggested for general client-resource server communication in SciTokens architecture?

My second question is about creating access tokens? Is there any effort to eliminate the need for each institution to setup their own OAuth Server? I think this is what CILogon intends to do, but could not see clear statement about it.

Basney, Jim

unread,
Nov 29, 2021, 10:31:48 AM11/29/21
to Engin Arslan, SciAuth Discussion
Hi Engin,

Responses inline below.

> I see, is there any mechanism to protect the tokens in SciTokens architecture? I see that SciTokens rely on encryption methods that ssh implements to protect the communication between ssh client and server in SciTokens SSH project, so wondering if there is any similar (e.g., encryption) method being implemented/suggested for general client-resource server communication in SciTokens architecture?

Yes, OAuth (and thus SciTokens) requires access tokens to be protected from eavesdropping by TLS. See: https://www.rfc-editor.org/rfc/rfc6819.html#section-4.6.1

> My second question is about creating access tokens? Is there any effort to eliminate the need for each institution to setup their own OAuth Server? I think this is what CILogon intends to do, but could not see clear statement about it.

Yes, a SciTokens issuer is included in CILogon hosted services. See: https://www.cilogon.org/subscribe

Regards,
Jim

Engin Arslan

unread,
Nov 29, 2021, 10:33:20 AM11/29/21
to Basney, Jim, SciAuth Discussion
Sounds good, thanks for clarifications Jim!

> On Nov 29, 2021, at 7:31 AM, Basney, Jim <jba...@illinois.edu> wrote:
>
> Hi Engin,
>
> Responses inline below.
>
>> I see, is there any mechanism to protect the tokens in SciTokens architecture? I see that SciTokens rely on encryption methods that ssh implements to protect the communication between ssh client and server in SciTokens SSH project, so wondering if there is any similar (e.g., encryption) method being implemented/suggested for general client-resource server communication in SciTokens architecture?
>
> Yes, OAuth (and thus SciTokens) requires access tokens to be protected from eavesdropping by TLS. See: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc6819.html%23section-4.6.1&amp;data=04%7C01%7Cearslan%40unr.edu%7C2b1b049558e94a71449f08d9b34d5c0f%7C523b4bfc0ebd4c03b2b96f6a17fd31d8%7C1%7C0%7C637737967102717238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=lm70wXDw32V9oKiKFZyNHVolqpl3v3axHvlEmDZAOvs%3D&amp;reserved=0
>
>> My second question is about creating access tokens? Is there any effort to eliminate the need for each institution to setup their own OAuth Server? I think this is what CILogon intends to do, but could not see clear statement about it.
>
> Yes, a SciTokens issuer is included in CILogon hosted services. See: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cilogon.org%2Fsubscribe&amp;data=04%7C01%7Cearslan%40unr.edu%7C2b1b049558e94a71449f08d9b34d5c0f%7C523b4bfc0ebd4c03b2b96f6a17fd31d8%7C1%7C0%7C637737967102717238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=opct4XFAf8kXaOwnVRO9tQp3ueI3LGdDYJHRrueUd2A%3D&amp;reserved=0
>
> Regards,
> Jim

Reply all
Reply to author
Forward
0 new messages