An overview of user authentication and authorization in the Galaxy project, and they can use it to authorize Galaxy to access their private resources on cloud, and how Galaxy implements the flow leveraging OpenID Connect protocol and Role-Based Access Control model to obtain temporary credentials.
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238
1. User X Galaxy Cloud
Get data from my S3 bucket to my history Give me User X’s bucket
Give me your secrets!
Any middleware Any science gateway
Hey, can you share your secrets with me?
2. Do NOT ask for user’s credentials, because:
• Obtaining credentials demands a degree of familiarity with the
provider, which is usually not intuitive for general users;
• Liability concern for Galaxy to securely store the credentials;
• Provide Galaxy with same level of privileges as the user;
• Stolen credentials can be disabled by manual intervention of the user.
3. Instead:
• User server-to-server communication, and minimize user
interaction/intervention;
• User token-based authentication and authorization;
• Use temporary tokens;
• Use role-based access control.
4. User X Galaxy Cloud
User X has authorized me to access her private bucket
Who are you? Who is User X? What is your authorization?
User X authorized me
5. Who Are You? Who is User X? What is Your Authorization?
6. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Register Galaxy as an OIDC Client
Client ID: 8936 … 8o88f.apps.googleusercontent.com
7. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Give me a proof of User X’s identity
https://accounts.google.com/o/oauth2/auth?
nonce=U9zZAIsacYEB7lJ3FZxO9G3nfzPaIxrl94Vnr5f2WfLMc8KQoG3C2B8LP2IGlwAW&
state=zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB&
redirect_uri=http://localhost:8080/authnz/google/callback&
prompt=consent&
response_type=code&
client_id=8936 … 8o88f.apps.googleusercontent.com&
scope=openid+email+profile+https://www.googleapis.com/auth/user.birthday.read&
access_type=offline
8. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Give me a proof of User X’s identity
User’s Authentication
(who they are)
9. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Give me a proof of User X’s identity
User’s Authorization
(what they allow you to do)
10. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID
Give me a proof of User X’s identity
Here is your proof
{
"code": "4/NwEDKgZ2GZFbzd … I7xeXhvWEBESoc",
"prompt": "consent",
"state": "zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB",
"session_state": "ccd20afbeec42f7711fb787ebebde0b38ff85255..85bb",
"scope": "email profile openid https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/user.birthday.read",
"authuser": "0"
}
11. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
{
"access_token": "… 129 chars …",
"auth_time": 1556220254,
"expires": 3600,
"id_token": "… 1000 chars …",
"refresh_token": "… 45 chars …",
"token_type": "Bearer"
}
ID token:
- is a JWT
- Contains claims about the authentication of end-user
Access token:
- is not a JWT
- Can be used to request info
12. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Part of a decoded ID token:
Payload
{
"iss": "accounts.google.com",
"azp": "…",
"aud": "8936 ... 8o88f.apps.googleusercontent.com",
"sub": "100813134013939805912",
"email": "jalili.vahid@gmail.com",
"email_verified": true,
"at_hash": "oRKH9-7HUwPJx-OxBSR-TA",
"nonce": "…",
"iat": 1556220253,
"exp": 1556223853
}
{
"access_token": "… 129 chars …",
"auth_time": 1556220254,
"expires": 3600,
"id_token": "… 1000 chars …",
"refresh_token": "… 45 chars …",
"token_type": "Bearer"
}
13. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Part of a decoded ID token:
Payload
{
"iss": "accounts.google.com",
"azp": "…",
"aud": "8936 ... 8o88f.apps.googleusercontent.com",
"sub": "100813134013939805912",
"email": "jalili.vahid@gmail.com",
"email_verified": true,
"at_hash": "oRKH9-7HUwPJx-OxBSR-TA",
"nonce": "…",
"iat": 1556220253,
"exp": 1556223853
}
Authorization Code Grant
flow in nutshell{
"access_token": "… 129 chars …",
"auth_time": 1556220254,
"expires": 3600,
"id_token": "… 1000 chars …",
"refresh_token": "… 45 chars …",
"token_type": "Bearer"
}
14. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/hgmm_100_R2.fastq"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "1.2.3.4"
}
}
}
]
}
AWS IAM
Role Policy
Role ARN
15. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
AWS IAM
Role Trust
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "8936 ... 8o88f.apps.googleusercontent.com"
}
}
}]
}
Role ARN
16. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
https://sts.amazonaws.com/?"
"DurationSeconds=3600&"
"Action=AssumeRoleWithWebIdentity&"
"Version=2011-06-15&"
"RoleSessionName=cloudauthz&"
"RoleArn= Role ARN &"
"WebIdentityToken= ID Token "
Here is my ID and authorization, give
me temporary secrets to access user
X’s private data
17. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets
Here is my ID and authorization, give
me temporary secrets to access user
X’s private data
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
AccessKeyId: ASIA4 … AA2ZE
SecretAccessKey: owi+huRYTTWlL … zujnvKZvS
SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU=
Temporary secrets
18. Who Are You? Who is User X? What is Your Authorization?
Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets
Here is my ID and authorization, give
me temporary secrets to access user
X’s private data
Give me a proof of User X’s identity
Here is your proof
Let Galaxy access my private data
AccessKeyId: ASIA4 … AA2ZE
SecretAccessKey: owi+huRYTTWlL … zujnvKZvS
SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU=
Temporary secrets
Role-Based Access Control
flow in nutshell