The SciTokens project aims to build a federated ecosystem for authorization on distributed scientific computing infrastructures.
We believe that distributed, scientific computing community has unique authorization needs that can be met by utilizing common web technologies, such as OAuth 2.0 and JSON Web Tokens (JWT). The SciTokens team, a collaboration between technology providers and domain scientists, is working to build and demonstrate a new authorization approach at scale.
In distributed computing, a natural unit of organization is the “virtual organization” (VO), typically a group or community representing a scient domain or experiment that might span several physical institutions (such as a university of lab). The VO has its own mechanisms to determine membership and access policies for resources it owns. SciTokens aims to provide an infrastructure that allows the VO to issue bearer tokens that focus on the capabilities the bearer should have within the VO’s namespace, as opposed to the identity of the bearer. This frees resource providers from needing to duplicate VO authorization policies based on identity mapping.
The SciTokens project aims to demonstrate a specific data access architecture for use with LIGO and LSST workflows. The architecture is shown below:
Users logged in to a specific host will be able to generate a refresh token and store it on the local token manager. They can then submit jobs to the local queue manager. When the queue manager is prepared to execute the user’s jobs, it will contact the token manager to create an access token. The access token is sent to the execute host and placed in the job runtime environment. When the job subsequently attempts to access data, it will utilize the access token to gain authorization.
Thus, the SciTokens architecture requires development of the following concepts:
- Token issuing and generation workflow between the VO and the submit host.
- Token format and verification.
- An authorization claims language and domain-specific claim validation rules.
The project will bring these concepts into a functioning infrastructure for its science stakeholders, which will require a token reference library, integration with a job submission system, and integration with a data access system.
The SciTokens project is in the process of defining the precise token format and validation/verification rules for utilizing SciTokens, building heavily on top of the OAuth2 framework.
The following is a list of technical documents pertaining to the SciTokens approach:
- SciTokens Claims Language: specifics on the formatting and contents of the tokens.
- Verification Procedure: how to verify and validate a token.
- SciTokens Library Reference: Auto-generated reference documentation for the SciTokens python library.
Demonstrations and Presentations
- SciTokens introduction to the WLCG GDB. Given by Brian Bockelman in October 2017.
- Token Generator Webapp. Small webapp for generating and parsing valid tokens from a demo issuer.
- X509-to-SciTokens Issuer. Token issuer for clients with CMS X509 proxies. Note: this implements the OAuth2
client_credentialsgrant type and does not have a human interface.
As SciTokens ramps up, we will post draft technical documents describing the overall architecture, the token format, and the runtime environment. In the meantime, feel free to subscribe to one of our project email lists: