SlideShare uma empresa Scribd logo

User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238

Transferir como PPTX, PDF
Vahid Jalili
Vahid Jalili

An overview of user authentication and authorization in the Galaxy project, and they can use it to authorize Galaxy to access their private resources on cloud, and how Galaxy implements the flow leveraging OpenID Connect protocol and Role-Based Access Control model to obtain temporary credentials.

Engenharia
1 de 20
User X Galaxy Cloud Get data from my S3 bucket to my history Give me User X’s bucket Give me your secrets! Any middleware Any science gateway Hey, can you share your secrets with me?
Do NOT ask for user’s credentials, because: • Obtaining credentials demands a degree of familiarity with the provider, which is usually not intuitive for general users; • Liability concern for Galaxy to securely store the credentials; • Provide Galaxy with same level of privileges as the user; • Stolen credentials can be disabled by manual intervention of the user.
Instead: • User server-to-server communication, and minimize user interaction/intervention; • User token-based authentication and authorization; • Use temporary tokens; • Use role-based access control.
User X Galaxy Cloud User X has authorized me to access her private bucket Who are you? Who is User X? What is your authorization? User X authorized me
Who Are You? Who is User X? What is Your Authorization?
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Register Galaxy as an OIDC Client Client ID: 8936 … 8o88f.apps.googleusercontent.com
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity https://accounts.google.com/o/oauth2/auth? nonce=U9zZAIsacYEB7lJ3FZxO9G3nfzPaIxrl94Vnr5f2WfLMc8KQoG3C2B8LP2IGlwAW& state=zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB& redirect_uri=http://localhost:8080/authnz/google/callback& prompt=consent& response_type=code& client_id=8936 … 8o88f.apps.googleusercontent.com& scope=openid+email+profile+https://www.googleapis.com/auth/user.birthday.read& access_type=offline
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity User’s Authentication (who they are)
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity User’s Authorization (what they allow you to do)
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity Here is your proof { "code": "4/NwEDKgZ2GZFbzd … I7xeXhvWEBESoc", "prompt": "consent", "state": "zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB", "session_state": "ccd20afbeec42f7711fb787ebebde0b38ff85255..85bb", "scope": "email profile openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/user.birthday.read", "authuser": "0" }
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof { "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" } ID token: - is a JWT - Contains claims about the authentication of end-user Access token: - is not a JWT - Can be used to request info
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Part of a decoded ID token: Payload { "iss": "accounts.google.com", "azp": "…", "aud": "8936 ... 8o88f.apps.googleusercontent.com", "sub": "100813134013939805912", "email": "jalili.vahid@gmail.com", "email_verified": true, "at_hash": "oRKH9-7HUwPJx-OxBSR-TA", "nonce": "…", "iat": 1556220253, "exp": 1556223853 } { "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" }
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Part of a decoded ID token: Payload { "iss": "accounts.google.com", "azp": "…", "aud": "8936 ... 8o88f.apps.googleusercontent.com", "sub": "100813134013939805912", "email": "jalili.vahid@gmail.com", "email_verified": true, "at_hash": "oRKH9-7HUwPJx-OxBSR-TA", "nonce": "…", "iat": 1556220253, "exp": 1556223853 } Authorization Code Grant flow in nutshell{ "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" }
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::my-bucket/hgmm_100_R2.fastq" ], "Condition": { "IpAddress": { "aws:SourceIp": "1.2.3.4" } } } ] } AWS IAM Role Policy Role ARN
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AWS IAM Role Trust { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "accounts.google.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "accounts.google.com:aud": "8936 ... 8o88f.apps.googleusercontent.com" } } }] } Role ARN
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data https://sts.amazonaws.com/?" "DurationSeconds=3600&" "Action=AssumeRoleWithWebIdentity&" "Version=2011-06-15&" "RoleSessionName=cloudauthz&" "RoleArn= Role ARN &" "WebIdentityToken= ID Token " Here is my ID and authorization, give me temporary secrets to access user X’s private data
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets Here is my ID and authorization, give me temporary secrets to access user X’s private data Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AccessKeyId: ASIA4 … AA2ZE SecretAccessKey: owi+huRYTTWlL … zujnvKZvS SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU= Temporary secrets
Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets Here is my ID and authorization, give me temporary secrets to access user X’s private data Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AccessKeyId: ASIA4 … AA2ZE SecretAccessKey: owi+huRYTTWlL … zujnvKZvS SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU= Temporary secrets Role-Based Access Control flow in nutshell
Thanks Publication: - https://www.biorxiv.org/content/10.1101/506238v1 Demo: - https://galaxyproject.org/authnz/cloud/demo/ Details: - https://galaxyproject.org/authnz/cloud/ - https://galaxyproject.org/authnz/config/oidc/ - https://galaxyproject.org/authnz/use/oidc/

Recomendados

Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 

Recomendados

Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuthAndy March
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Xamarin
 
Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Somkiat Khitwongwattana
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioAntonioMaio2
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Vlad Mihnea
 
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityNexThoughts Technologies
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services SecurityJason Chan
 

Mais conteúdo relacionado

Mais procurados

Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Xamarin
 
Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Somkiat Khitwongwattana
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioAntonioMaio2
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Vlad Mihnea
 
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityNexThoughts Technologies
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 

Mais procurados (20)

Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
 
Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio Maio
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015
 
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 

Semelhante a User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services SecurityJason Chan
 
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014Amazon Web Services
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
 
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...R3
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaVasiliy Suvorov
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Amazon Web Services
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJean-François LOMBARDO
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)Amazon Web Services
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAmazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOpenIDFoundation
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 

Semelhante a User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238 (20)

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services Security
 
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
 
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated Billing
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 

Último

Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxsomshekarkn64
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringJuanCarlosMorales19600
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptJasonTagapanGulla
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 

Último (20)

Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptx
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineering
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.ppt
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 

User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238

  • 1. User X Galaxy Cloud Get data from my S3 bucket to my history Give me User X’s bucket Give me your secrets! Any middleware Any science gateway Hey, can you share your secrets with me?
  • 2. Do NOT ask for user’s credentials, because: • Obtaining credentials demands a degree of familiarity with the provider, which is usually not intuitive for general users; • Liability concern for Galaxy to securely store the credentials; • Provide Galaxy with same level of privileges as the user; • Stolen credentials can be disabled by manual intervention of the user.
  • 3. Instead: • User server-to-server communication, and minimize user interaction/intervention; • User token-based authentication and authorization; • Use temporary tokens; • Use role-based access control.
  • 4. User X Galaxy Cloud User X has authorized me to access her private bucket Who are you? Who is User X? What is your authorization? User X authorized me
  • 5. Who Are You? Who is User X? What is Your Authorization?
  • 6. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Register Galaxy as an OIDC Client Client ID: 8936 … 8o88f.apps.googleusercontent.com
  • 7. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity https://accounts.google.com/o/oauth2/auth? nonce=U9zZAIsacYEB7lJ3FZxO9G3nfzPaIxrl94Vnr5f2WfLMc8KQoG3C2B8LP2IGlwAW& state=zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB& redirect_uri=http://localhost:8080/authnz/google/callback& prompt=consent& response_type=code& client_id=8936 … 8o88f.apps.googleusercontent.com& scope=openid+email+profile+https://www.googleapis.com/auth/user.birthday.read& access_type=offline
  • 8. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity User’s Authentication (who they are)
  • 9. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity User’s Authorization (what they allow you to do)
  • 10. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity Here is your proof { "code": "4/NwEDKgZ2GZFbzd … I7xeXhvWEBESoc", "prompt": "consent", "state": "zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB", "session_state": "ccd20afbeec42f7711fb787ebebde0b38ff85255..85bb", "scope": "email profile openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/user.birthday.read", "authuser": "0" }
  • 11. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof { "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" } ID token: - is a JWT - Contains claims about the authentication of end-user Access token: - is not a JWT - Can be used to request info
  • 12. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Part of a decoded ID token: Payload { "iss": "accounts.google.com", "azp": "…", "aud": "8936 ... 8o88f.apps.googleusercontent.com", "sub": "100813134013939805912", "email": "jalili.vahid@gmail.com", "email_verified": true, "at_hash": "oRKH9-7HUwPJx-OxBSR-TA", "nonce": "…", "iat": 1556220253, "exp": 1556223853 } { "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" }
  • 13. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Part of a decoded ID token: Payload { "iss": "accounts.google.com", "azp": "…", "aud": "8936 ... 8o88f.apps.googleusercontent.com", "sub": "100813134013939805912", "email": "jalili.vahid@gmail.com", "email_verified": true, "at_hash": "oRKH9-7HUwPJx-OxBSR-TA", "nonce": "…", "iat": 1556220253, "exp": 1556223853 } Authorization Code Grant flow in nutshell{ "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" }
  • 14. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::my-bucket/hgmm_100_R2.fastq" ], "Condition": { "IpAddress": { "aws:SourceIp": "1.2.3.4" } } } ] } AWS IAM Role Policy Role ARN
  • 15. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AWS IAM Role Trust { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "accounts.google.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "accounts.google.com:aud": "8936 ... 8o88f.apps.googleusercontent.com" } } }] } Role ARN
  • 16. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data https://sts.amazonaws.com/?" "DurationSeconds=3600&" "Action=AssumeRoleWithWebIdentity&" "Version=2011-06-15&" "RoleSessionName=cloudauthz&" "RoleArn= Role ARN &" "WebIdentityToken= ID Token " Here is my ID and authorization, give me temporary secrets to access user X’s private data
  • 17. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets Here is my ID and authorization, give me temporary secrets to access user X’s private data Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AccessKeyId: ASIA4 … AA2ZE SecretAccessKey: owi+huRYTTWlL … zujnvKZvS SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU= Temporary secrets
  • 18. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets Here is my ID and authorization, give me temporary secrets to access user X’s private data Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AccessKeyId: ASIA4 … AA2ZE SecretAccessKey: owi+huRYTTWlL … zujnvKZvS SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU= Temporary secrets Role-Based Access Control flow in nutshell
  • 19.
  • 20. Thanks Publication: - https://www.biorxiv.org/content/10.1101/506238v1 Demo: - https://galaxyproject.org/authnz/cloud/demo/ Details: - https://galaxyproject.org/authnz/cloud/ - https://galaxyproject.org/authnz/config/oidc/ - https://galaxyproject.org/authnz/use/oidc/