Getting Started with Globus for Developers

1. Rachana Ananthakrishnan May 11, 2022 Getting Started with Globus for Developers

2. Globus Auth API (Group Management) … Globus Transfer API Globus Connect Data Discovery File Sharing File Transfer & Replication Globus Platform-as-a-Service Integrate file transfer and sharing capabilities into scientific web apps, portals, gateways, etc...

3. Data centric applications leveraging Globus 3

4. Globus Auth API (Group Management) … Globus Transfer API Globus Connect Data Discovery File Sharing File Transfer & Replication Globus Platform-as-a-Service

5. Globus Auth: Foundational IAM service • Brokers authentication and authorization among… – End-users – Identity providers: enterprise, external (federated identities) – Services: resource servers with REST APIs – Apps: web, mobile, desktop, command line clients – Services acting as clients to other services • Support high assurance service for use with protected data (e.g. HIPAA protected data) 5

6. Based on widely used web standards • OAuth 2.0 Authorization Framework (a.k.a. OAuth2) • OpenID Connect Core 1.0 (a.k.a. OIDC) • Access via OAuth2 and OIDC libraries of your choice – Google OAuth Client Libraries (Java, Python, etc.), Apache mod_auth_openidc, etc. – Globus Python SDK 6 docs.globus.org/api/auth

7. Fundamental Concepts • Scopes – APIs that client is requesting access to • Consents – Authorizes a client to access a service, within limited scope, on the resource owner's behalf • Multiple methods for user to grant consent depending on the type of application 7

8. Authorization Code Grant 8 Portal (Client) Globus Transfer (Resource Server) Globus Auth (Authorization Server) 5. Authenticate using client id and secret, send authorization code Browser (User) 1. Access portal 2. Redirects user 3. User authenticates and consents 4. Authorization token 6. Access tokens 7. Authenticate with access tokens to invoke transfer service as user

9. Browser Native App Grant 9 Native App (Client) 1. Run application 2. URL to authenticate 3. Authenticate and consent 4. Auth code 5. Register auth code 6. Exchange code 7. Access tokens 8. Authenticate with access tokens to invoke transfer service as user App/Service (Resource Server) Globus Auth (Authorization Server)

10. Native App Grant with Refresh Tokens 10 Native App (Client) App/Service (Resource Server) Globus Auth (Authorization Server) 1. Run application 2. URL to authenticate Browser 3. Authenticate and consent 4. Auth code 5. Register auth code 6. Exchange code, request refresh tokens 7. Access tokens and refresh tokens 9. Exchange refresh token for new access tokens 8. Store refresh tokens 10. Access tokens 11. Authenticate with access tokens to invoke service as user

11. Confidential Client Credential Grant 11 1. Authenticate with app client id and secret 2. Access Tokens Application, Science Gateway, Data Portal (Client) 3. Authenticate as app with access tokens to invoke service (on behalf of authorized user, within a given scope) Globus Transfer (Resource Server) Globus Auth (Authorization Server)

12. Globus APIs • Auth • Groups • Transfer • Search • Timer • Flows • GCS Manager Base URL Scopes

13. Globus Transfer API • Globus Web App consumes public Transfer API • Resource named by URL (standard REST approach) – Query params allow refinement (e.g., subset of fields) • Globus APIs use JSON for documents and resource representations • Requests authorized via OAuth2 access token – Authorization: Bearer asdflkqhafsdafeawk docs.globus.org/api/transfer 13

14. Globus Python SDK • Python client library for the Globus Auth and Transfer REST APIs • globus_sdk.TransferClient class handles connection management, security, framing, marshaling from globus_sdk import TransferClient tc = TransferClient() globus-sdk-python.readthedocs.io/en/stable/ globus.github.io/globus-sdk-python 14

15. TransferClient higher-level calls • One method for each API resource and HTTP verb • Largely direct mapping to REST API endpoint_search(filter_fulltext=None, filter_scope=None, num_results=25, **params) 15

16. TransferClient low-level calls • Thin wrapper around REST API – post(), get(), update(), delete() get(path, params=None, headers=None, auth=None, response_class=None) o path – path for the request, with or without leading slash o params – dict to be encoded as a query string o headers – dict of HTTP headers to add to the request o response_class – class response object, overrides the client’s default_response_class o Returns: GlobusHTTPResponse object 16

17. GCSv4: endpoint activation • Activating endpoint means binding a credential to an endpoint for login • Host endpoints require activation to get a X.509 certificate for use with the endpoint – MyProxy OAuth • Auto-activate – Globus Connect Personal and shared endpoint use Globus- provided credential – Must auto-activate before any API calls to endpoints 17

18. GCSv5: consent for data access by transfer • Mapped collection requires user consent • In addition to transfer service scope, user must consent to a scope specific to the mapped collection • Scope format: – urn:globus:auth:scope:transfer.api.globus.org:all[*https://auth.gl obus.org/scopes/COLLECTION_UUID/data_access] • Consent is required for each new mapped collection accessed by a particular applications 18

19. Scopes in Globus SDK • Scope Builder • MutableScope objects globus-sdk-python.readthedocs.io/en/stable/scopes.html

20. Jupyter Notebook Walkthrough

21. Support resources • Globus documentation: docs.globus.org • GitHub: github.com/globus • Migrating applications to use GCSsv5: docs.globus.org/globus-connect-server/migrating-to- v5.4/application-migration/ • Sample code: github.com/globus/automation- examples • YouTube channel: youtube.com/user/GlobusOnline

Getting Started with Globus for Developers

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Getting Started with Globus for Developers

Plus De Contenu Connexe

Similaire à Getting Started with Globus for Developers (20)

Plus par Globus (20)

Plus récents (20)