Design Diagram

The primary authentication needed by the Data Center is in support of external user data transfers. This made the "Globus Auth" solution the natural choice since it is already integrated with Globus Transfer. The "Globus Auth" service uses the standard "OAuth2" workflow.

Key Concept: Identity Data

When verifying an identity through the "Globus Auth" API, the following metadata is available:

Field	Type	Description
id	UUID	"Globus Auth" issued identity ID, guaranteed to uniquely identify a single identity, even if the identity username associated with the identity is changed or re-used by the identity provider. An ID will never be re-used. This field is visible to all clients.
username	String	The username of the identity. The identity username is guaranteed to be unique amongst all "Globus Auth" identities at any given time. However, since identity providers can change or re-use usernames, the following caveats apply: The identity username associated with a given identity ID is NOT guaranteed to remain constant over time. A single identity username MAY be associated with different identity IDs over time. The identity username is defined by the issuing identity provider. It may or may not also be a valid email address. This field is visible to all clients.
status	String enum	This item field can be one of the following: "unused" - indicating that no user has proven ownership of this identity by authenticating with it. Resource servers may assign permissions to an unused identity. (See GET /v2/api/identities/<name>.) "used" - indicating that a user has proven ownership of this identity. The identity will typically, but not necessarily, be associated with a Globus Account. "private" - indicating that the user has restricted visibility of their identity. "closed" - indicating that this identity is no longer valid, typically because the provider has revoked it and perhaps reused the identity username. When an identity is closed, it will be removed from all Globus accounts, and end-users can no longer authenticate with this identity. Resource servers MAY remove any permissions associated with a closed identity, though since it is removed from all Globus accounts, it will never be included in a token’s identities list, and thus will never result in matching a permission.
email	String	Identity provider-specified email address for this identity. This email address may be used by "Globus Auth," clients and resource servers for email notifications related to this identity. "Globus Auth" provides no guarantees about the email address, including whether the email address has been verified, or if emails sent to this address will be successfully delivered.
name	String	Identity provider-specified display name (e.g., user’s full name) for this identity.
organization	String	The name of the organization this identity is associated with. This may be set by the provider or, if the provider does not set it, by the user themselves.

Key Concept: Authorization Sequence

The below image depicts the order of operations for a user to authenticate, have their authorizations verified and initiate a transfer.

Key Concept: Globus Applications

Applications/Services that interact with the "Globus Auth" Identity Manager are registered with Globus.

Registered applications fall in to 2 categories:

Internal DKIST Resource servers, e.g., dataset-searcher (04 - Science Data Search Management)
User Tools, e.g., dkist-user-tools or an end user developed service

User Tools will typically interact with DKIST Resource servers and require a scope that enables the resource servers to use tokens it provides.

Key Concept: Globus Client Scopes

DKIST Applications or Services registered with "Globus Auth" should have the following Scopes:

Scope	Purpose	DKIST DC Internal	User Tools
Transfer files using Globus Transfer	Needed to manage Globus Transfers on behalf of the authenticated user	Required	Optional
"openid" - know who you are in Globus	Get user info	Required	Required
email - know your email address	Get user info	Required	Required
profile - know some details about you	Get user info	Required	Required
"dkist_token_introspect"	Needed to interact with DKIST services that require Globus Authentication	Required	Required

Browser not supported