The SciTokens project is building a federated ecosystem for authorization on distributed scientific computing infrastructures.
- May 2021: SciTokens at HTCondor Week
- April 2021: HTCondor 9.0.0 Released with support for IDTOKEN authentication and support for jobs that need to acquire and use OAUTH tokens
- March 2021: Evolving the OSG Fabric of Services at the OSG All Hands Meeting
- January 2021: SciTokens at Trusted CI Webinar (see: slides and video)
- December 2020: SciTokens at TAGPMA Workshop on Token-Based Authentication and Authorization
- November 2020: HTCondor 8.9.10 added support for OAuth, SciTokens, and Kerberos credentials in local universe jobs.
- September 2020: SciTokens at HTCondor Workshop Autumn 2020
- July 2020: SciTokens SSH student poster paper presented at PEARC20
- May 2020: SciTokens at HTCondor Week
- March 2020: xrootd-scitokens plugin v1.2.0 released with fix for authorization logic error
- January 2020: WLCG Token-based AuthN/Z Hackathon
- January 2020: SciTokens support contributed to XSEDE OAuth SSH
- November 2019: Instructions for configuring the ORY Hydra OAuth2 Server to issue SciTokens.
- November 2019: HTCondor 8.9.4 and HTCondor-CE 4.0.1 released with SciTokens support.
- November 2019: The Insomnia REST Client has been patched so that it can obtain SciTokens for authorization.
- October 2019: Docker containers are available for testing the Java SciTokens Server/Client and the HTCondor CredMon
- October 2019: SciTokens at the NSF Cybersecurity Summit - slides
- September 2019: SciTokens at WLCG AuthZ WG Meeting and European HTCondor Workshop
- September 2019: WLCG Common JWT Profiles is published
- July 2019: SciTokens at PEARC19
- June 2019: HTCondor 8.9.2 released with support for authentication using SciTokens
- May 2019: SciTokens at HTCondor Week
- April 2019: SciTokens input on the WLCG Common JWT Profile
- March 2019: SciTokens at HOW2019
- February 2019: SciTokens Credential Monitor available for HTCondor
- January 2019: Syracuse SciTokens Setup
For SciTokens project updates and discussions, join our email lists:
- [email protected] (subscribe) (archives)
- [email protected] (subscribe) (archives)
- [email protected] (subscribe) (archives)
- Libraries: Python C++
- Integrations: CVMFS dCache NGINX XRootD
- HTCondor CredMon
- Token Server
- SciTokens SSH
The SciTokens Mission
We believe that distributed, scientific computing community has unique authorization needs that can be met by utilizing common web technologies, such as OAuth 2.0 and JSON Web Tokens. The SciTokens Team, a collaboration between technology providers and domain scientists, is working to build and demonstrate a new authorization approach at scale.
In distributed computing, a natural unit of organization is the “virtual organization” (VO), typically a group or community representing a science domain or experiment that might span several physical institutions (such as a university of lab). The VO has its own mechanisms to determine membership and access policies for resources it owns. SciTokens aims to provide an infrastructure that allows the VO to issue bearer tokens that focus on the capabilities the bearer should have within the VO’s namespace, as opposed to the identity of the bearer. This frees resource providers from needing to duplicate VO authorization policies based on identity mapping.
The SciTokens Model
Users logged in to a specific host generate a refresh token and store it on the local token manager. They then submit jobs to the local queue manager. When the queue manager is prepared to execute the user’s jobs, it contacts the token manager to create an access token. The queue manager sends the access token to the execute host and places it in the job runtime environment. When the job subsequently attempts to access data, it uses the access token to gain authorization.
Thus, the SciTokens architecture builds on the following concepts:
- Token issuing and generation workflow between the VO and the submit host.
- Token format and verification.
- An authorization claims language and domain-specific claim validation rules.
The project is bringing these concepts into a functioning infrastructure for its science stakeholders, which will require a token reference library, integration with a job submission system, and integration with a data access system..
- You Alex Gao, Jim Basney, and Alex Withers. 2020. SciTokens SSH: Token-based Authentication for Remote Login to Scientific Computing Environments. In Practice and Experience in Advanced Research Computing (PEARC ’20), July 26-30, 2020, Portland, OR, USA. ACM, New York, NY, USA, 4 pages. https://doi.org/10.1145/3311790.3399613
- Altunay, Mine; Bockelman, Brian; Ceccanti, Andrea; Cornwall, Linda; Crawford, Matt; Crooks, David; Dack, Thomas; Dykstra, David; Groep, David; Igoumenos, Ioannis; Jouvin, Michel; Keeble, Oliver; Kelsy, David; Lassnig, Mario; Liampotis, Nicolas; Litmaath, Maarten; McNab, Andrew; Millar, Paul; Sallé, Mischa; Short, Hannah; Teheran, Jeny; Wartel, Romain. WLCG Common JWT Profiles (Version 1.0). Zenodo. September 25, 2019. https://doi.org/10.5281/zenodo.3460258
- Alex Withers, Brian Bockelman, Derek Weitzel, Duncan Brown, Jason Patton, Jeff Gaynor, Jim Basney, Todd Tannenbaum, You Alex Gao, and Zach Miller. 2019. SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor. In Practice and Experience in Advanced Research Computing (PEARC ‘19), July 28-August 1, 2019, Chicago, IL, USA. ACM, New York, NY, USA, 4 pages. https://doi.org/10.1145/3332186.3333258 (preprint: https://arxiv.org/abs/1905.09816)
- Derek Weitzel, Brian Bockelman, Jim Basney, Todd Tannenbaum, Zach Miller, and Jeff Gaynor. Capability-Based Authorization for HEP. In 23rd International Conference on Computing in High Energy and Nuclear Physics (CHEP 2018), July 9-13, 2018, Sofia, Bulgaria. https://doi.org/10.1051/epjconf/201921404014
- Alex Withers, Brian Bockelman, Derek Weitzel, Duncan A. Brown, Jeff Gaynor, Jim Basney, Todd Tannenbaum, Zach Miller, “SciTokens: Capability-Based Secure Access to Remote Scientific Data”, PEARC ‘18: Practice and Experience in Advanced Research Computing, July 2018, Pittsburgh, PA, USA. https://doi.org/10.1145/3219104.3219135 (preprint: https://arxiv.org/abs/1807.04728)
- SciTokens Project Proposal
The following is a list of technical documents pertaining to the SciTokens approach:
- SciTokens Claims Language: specifics on the formatting and contents of the tokens.
- Verification Procedure: how to verify and validate a token.
- SciTokens Library Reference: Auto-generated reference documentation for the SciTokens python library.
- Syracuse SciTokens Setup: description on how SciTokens was setup at Syracuse.
- Setting up the SciTokens Credential Monitor for HTCondor
Demonstrations and Presentations
- SciTokens introduction to the WLCG GDB. Given by Brian Bockelman in October 2017.
- Introduction to SciTokens presentation to SC17 MAGIC Meeting. Given by Todd Tannenbaum in November 2017.
- CILogon and SciTokens presentation to EUGridPMA. Given by Jim Basney in January 2018.
- Introduction to SciTokens presentation to HTCondor Week. Given by Brian Bockelman and Jim Basney in May 2018.
- SciTokens in CVMFS presentation to CVMFS Coordination Meeting Given by Derek Weitzel in June 2018.
- Bootstrapping a (New?) LHC Data Transfer Ecosystem. An overview of how LHC could transform its data transfer ecosystem, including the use of SciTokens. Given by Brian Bockelman in July 2018.
- Capability-Based Authorization for HEP. An outline of how capability-based authorization would benefit the High Energy Physics community. Given by Brian Bockelman in July 2018.
- SciTokens at PEARC18. Presented by Jim Basney at PEARC18 on July 25 2018.
- SciTokens at HTCondor Week 2019. Presented by Zach Miller.
- SciTokens at the NSF Cybersecurity Summit - slides presented by Alex Withers and Derek Weitzel
- SciTokens and IAM Interoperability. Presented by Brian Bockelman at the pre-GDB - AuthZ WG - at FermiLab on September 10, 2019.
- SciTokens at HTCondor Workshop Autumn 2020
- SciTokens at January 2021 Trusted CI Webinar (see: slides and video)
- Evolving the OSG Fabric of Services at the 2021 OSG All Hands Meeting
- Token Generator Webapp. Small webapp for generating and parsing valid tokens from a demo issuer.
- X509-to-SciTokens Issuer. Token issuer for clients with CMS X509 proxies. Note: this implements the OAuth2
client_credentialsgrant type and does not have a human interface.