Globus and SciTokens both use OAuth for token issuance. Globus issues opaque access_tokens whereas access_tokens in SciTokens are JWTs. Globus id_tokens are JWTs (per the OIDC specification) whereas SciTokens does not issue id_tokens or implement OIDC.
The Related Work sections of the following SciTokens papers enumerate additional differences:
* https://doi.org/10.1145/3219104.3219135
* https://doi.org/10.1145/3311790.3399613
In the context of your question, I think the most important difference is that SciTokens is not an identity management system. Unlike Globus, SciTokens does not implement OIDC or issue id_tokens. SciTokens is a distributed authorization system. SciTokens does not specify how the OAuth Authorization Server verifies the identity of the resource owner. The SciTokens server can be configured to use mod_auth_openidc or mod_shibboleth or some other authentication method for resource owner identification.
The good news for cyberinfrastructure interoperability and sustainability is the broad agreement on the use of OAuth.
Regards,
Jim
________________________________________
From: Engin Arslan <ear...@unr.edu>
Sent: Friday, November 26, 2021 10:23 PM
To: SciAuth Discussion
Subject: Globus Auth vs SciTokens
To quote https://doi.org/10.17487/RFC9068 - "many commercial OAuth 2.0 implementations elected to issue access tokens using a format that can be parsed and validated by resource servers directly, without further authorization server involvement. The approach is particularly common in topologies where the authorization server and resource server are not co-located, are not run by the same entity, or are otherwise separated by some boundary."
Regards,
Jim
________________________________________
From: Engin Arslan <ear...@unr.edu>
Sent: Saturday, November 27, 2021 4:56 PM
To: SciAuth Discussion
Cc: Basney, Jim; SciAuth Discussion
Subject: Re: Globus Auth vs SciTokens
Responses inline below.
> I see, is there any mechanism to protect the tokens in SciTokens architecture? I see that SciTokens rely on encryption methods that ssh implements to protect the communication between ssh client and server in SciTokens SSH project, so wondering if there is any similar (e.g., encryption) method being implemented/suggested for general client-resource server communication in SciTokens architecture?
Yes, OAuth (and thus SciTokens) requires access tokens to be protected from eavesdropping by TLS. See: https://www.rfc-editor.org/rfc/rfc6819.html#section-4.6.1
> My second question is about creating access tokens? Is there any effort to eliminate the need for each institution to setup their own OAuth Server? I think this is what CILogon intends to do, but could not see clear statement about it.
Yes, a SciTokens issuer is included in CILogon hosted services. See: https://www.cilogon.org/subscribe
Regards,
Jim