03 - Identity Manager
- Anastasia Alexov (Unlicensed)
Design Diagram
The primary authentication needed by the Data Center is in support of external user data transfers. This made the "Globus Auth" solution the natural choice since it is already integrated with Globus Transfer. The "Globus Auth" service uses the standard "OAuth2" workflow.
Key Concept: Identity Data
When verifying an identity through the "Globus Auth" API, the following metadata is available:
| Field | Type | Description |
|---|---|---|
id | UUID | "Globus Auth" issued identity ID, guaranteed to uniquely identify a single identity, even if the identity username associated with the identity is changed or re-used by the identity provider. An ID will never be re-used. This field is visible to all clients. |
username | String | The username of the identity. The identity username is guaranteed to be unique amongst all "Globus Auth" identities at any given time. However, since identity providers can change or re-use usernames, the following caveats apply:
The identity username is defined by the issuing identity provider. It may or may not also be a valid email address. This field is visible to all clients. |
status | String enum | This item field can be one of the following:
|
String | Identity provider-specified email address for this identity. This email address may be used by "Globus Auth," clients and resource servers for email notifications related to this identity. "Globus Auth" provides no guarantees about the email address, including whether the email address has been verified, or if emails sent to this address will be successfully delivered. | |
name | String | Identity provider-specified display name (e.g., user’s full name) for this identity. |
organization | String | The name of the organization this identity is associated with. This may be set by the provider or, if the provider does not set it, by the user themselves. |
Key Concept: Authorization Sequence
The below image depicts the order of operations for a user to authenticate, have their authorizations verified and initiate a transfer.
Key Concept: Globus Applications
Applications/Services that interact with the "Globus Auth" Identity Manager are registered with Globus.Â
Registered applications fall in to 2 categories:
- Internal DKIST Resource servers, e.g., dataset-searcher (04 - Science Data Search Management)
- User Tools, e.g., dkist-user-tools or an end user developed service
User Tools will typically interact with DKIST Resource servers and require a scope that enables the resource servers to use tokens it provides.
Key Concept: Globus Client Scopes
DKIST Applications or Services registered with "Globus Auth" should have the following Scopes:
| Scope | Purpose | DKIST DC Internal | User Tools |
|---|---|---|---|
| Transfer files using Globus Transfer | Needed to manage Globus Transfers on behalf of the authenticated user | Required | Optional |
| "openid" - know who you are in Globus | Get user info | Required | Required |
| email - know your email address | Get user info | Required | Required |
| profile - know some details about you | Get user info | Required | Required |
| "dkist_token_introspect" | Needed to interact with DKIST services that require Globus Authentication | Required | Required |
