View on GitHub SciTokens

Federated Authorization for Distributed Scientific Computing

The SciTokens project enables a federated ecosystem for authorization on distributed scientific computing infrastructures. For the latest news on adoption of SciTokens, please visit our companion project site at https://sciauth.org/.

What’s New?

Email Lists

For SciTokens project updates and discussions, join our email lists:

SciTokens Code

The SciTokens Mission

We believe that distributed, scientific computing community has unique authorization needs that can be met by utilizing common web technologies, such as OAuth 2.0 and JSON Web Tokens. The SciTokens Team, a collaboration between technology providers and domain scientists, is working to build and demonstrate a new authorization approach at scale.

In distributed computing, a natural unit of organization is the “virtual organization” (VO), typically a group or community representing a science domain or experiment that might span several physical institutions (such as a university of lab). The VO has its own mechanisms to determine membership and access policies for resources it owns. SciTokens aims to provide an infrastructure that allows the VO to issue bearer tokens that focus on the capabilities the bearer should have within the VO’s namespace, as opposed to the identity of the bearer. This frees resource providers from needing to duplicate VO authorization policies based on identity mapping.

The SciTokens Model

The SciTokens project is developing a data access architecture for use with LIGO and LSST workflows. The architecture is shown below:

SciTokens data architecture

Users logged in to a specific host generate a refresh token and store it on the local token manager. They then submit jobs to the local queue manager. When the queue manager is prepared to execute the user’s jobs, it contacts the token manager to create an access token. The queue manager sends the access token to the execute host and places it in the job runtime environment. When the job subsequently attempts to access data, it uses the access token to gain authorization.

Thus, the SciTokens architecture builds on the following concepts:

  1. Token issuing and generation workflow between the VO and the submit host.
  2. Token format and verification.
  3. An authorization claims language and domain-specific claim validation rules.

The project is bringing these concepts into a functioning infrastructure for its science stakeholders, which will require a token reference library, integration with a job submission system, and integration with a data access system..

References

Technical Documents

The following is a list of technical documents pertaining to the SciTokens approach:

Demonstrations and Presentations