|
| 1 | +# Authentication Flows |
1 | 2 |
|
| 3 | +Requests related to authentication are dotted lines, while other API calls are solid |
| 4 | +lines. |
| 5 | + |
| 6 | +## Option A: Validate Scicat identity |
2 | 7 |
|
3 | 8 | ```mermaid |
4 | 9 | sequenceDiagram |
5 | 10 | autonumber |
6 | | - participant B as Browser |
| 11 | + participant B as Browser |
7 | 12 | participant S as Scicat Backend |
8 | 13 | participant I as Ingestor Service |
9 | | - participant G as Storage (Globus) |
| 14 | + participant G as Storage |
10 | 15 | participant A as ETHZ Archiver Service |
11 | 16 | participant K as Keycloak |
12 | 17 |
|
| 18 | +
|
13 | 19 | B --) S: Login |
14 | | - S --) B: Scicat-JWT |
15 | | -
|
16 | | - opt Option A |
17 | | - B --) I: Login with Scicat-JWT |
18 | | - I --) B: Ingestor-JWT |
19 | | - B --) I: ingest (Ingestor-JWT) passing Scicat-JWT |
20 | | - I --) B: POST /dataset (Scicat-JWT) |
21 | | - I --) G: Transfer (??) |
22 | | - I --) S: PATH /dataset (Service User) |
23 | | - end |
| 20 | + S --) B: Scicat-JWT🔑 |
| 21 | + B --) I: Login with Scicat-JWT |
| 22 | + I -->> S: Validate Scicat-JWT (/api/v3/users/{id}/userIdentity) |
| 23 | + S -->> I: Return roles and groups |
| 24 | + I --) B: Ingestor-JWT🔑 |
| 25 | + B -) I: POST /ingest (Ingestor-JWT) passing Scicat-JWT (and Globus access token) |
| 26 | + I -) S: POST /dataset (Scicat-JWT) |
| 27 | +
|
| 28 | + alt ETHZ |
| 29 | + I --) A: POST /token (Scicat-JWT) with pid |
| 30 | + A -->> S: Validate Scicat-JWT (/api/v3/users/{id}/userIdentity) |
| 31 | + S -->> A: Return roles and groups |
| 32 | +
|
| 33 | + A --) K: POST request transfer token (service account) |
| 34 | + K --) A: Token for given dataset id: transfer-JWT |
| 35 | + A --) I: transfer-JWT🔑 |
| 36 | +
|
| 37 | + I ->> A: POST /presigned (transfer-JWT) |
| 38 | + A ->> I: presigned URLs |
| 39 | +
|
| 40 | + I -) G: Transfer data (presigned URLs) |
| 41 | + I -) A: Complete upload (transfer-JWT) |
| 42 | + A -) S: PATCH /dataset (service account) |
24 | 43 |
|
25 | | - opt Option B |
26 | | - B --) I: Ingest (Scicat-JWT) |
27 | | - I --) B: Validate Scicat-JWT (/api/v3/users/{id}/userIdentity) |
28 | | - I --) B: POST /dataset (Scicat-JWT) |
29 | | - I --) G: Transfer (??) |
30 | | - S --) S: PATCH /dataset (service account) |
| 44 | + else Globus |
| 45 | + I -) G: Transfer (Globus access token) |
| 46 | + I -) S: PATCH /dataset (Service User) |
31 | 47 | end |
32 | 48 |
|
33 | | - opt ETHZ |
34 | | - I --) A: POST /token (Scicat-JWT) |
| 49 | +``` |
| 50 | + |
| 51 | + |
| 52 | +- Both the ingestor and archiver accept scicat tokens during logon. |
| 53 | +- The ingestor/archiver validates the scicat token using a `/userinfo` endpoint and |
| 54 | + check the returned payload for authorization claims. |
| 55 | +- Requires a scicat service user for the ingestor for the dataset update for globus. |
| 56 | + ETHZ can avoid this by re-using the archiver service user (via an api) |
| 57 | + |
| 58 | +### Changes needed |
| 59 | + |
| 60 | +- (scicat backend) Add authorization claims to `/userinfo` |
| 61 | + |
| 62 | + |
| 63 | +## Option B |
| 64 | + |
| 65 | +```mermaid |
| 66 | +sequenceDiagram |
| 67 | + autonumber |
| 68 | + participant B as Browser |
| 69 | + participant S as Scicat Backend |
| 70 | + participant I as Ingestor Service |
| 71 | + participant G as Storage (Globus) |
| 72 | + participant A as ETHZ Archiver Service |
| 73 | + participant K as Keycloak |
| 74 | +
|
| 75 | + B --) I: Login with keycloak |
| 76 | + I -->> I: store refresh-token |
| 77 | + I --) B: Ingestor-JWT🔑 |
| 78 | + B -) I: POST /ingest (Ingestor-JWT) (with Globus access token) |
| 79 | +
|
| 80 | + I ->> S: Login (Ingestor-JWT) |
| 81 | + S ->> I: Scicat-JWT🔑 |
| 82 | + I -) S: POST /dataset (Scicat-JWT) |
| 83 | +
|
| 84 | + alt ETHZ |
| 85 | + I --) A: POST /token (Ingestor-JWT) |
| 86 | + A -->> A: verify Ingestor-JWT |
| 87 | +
|
35 | 88 | A --) K: POST request transfer token (service account) |
36 | 89 | K --) A: Token for given dataset id: transfer-JWT |
37 | | - I --) A: POST presigned URL (transfer-JWT) |
38 | | - A --) I: presigned URLs |
39 | | - I --) A: Transfer data (presigned URLs) |
40 | | - I --) A: Complete upload (transfer-JWT) |
41 | | - A --) S: PATCH /dataset (service account) |
| 90 | + A --) I: transfer-JWT🔑 |
| 91 | +
|
| 92 | + I ->> A: POST /presigned (transfer-JWT) |
| 93 | + A ->> I: presigned URLs |
| 94 | +
|
| 95 | + I -) G: Transfer data (presigned URLs) |
| 96 | +
|
| 97 | + else Globus |
| 98 | + I -) G: Transfer (Globus access token) |
42 | 99 | end |
43 | 100 |
|
| 101 | +
|
| 102 | + I --) K: Renew token (refresh-token) |
| 103 | + K --) I: Ingestor-JWT-new🔑 |
| 104 | + I -->> S: Login (Ingestor-JWT-new) |
| 105 | + S -->> I: Scicat-JWT-new🔑 |
| 106 | +
|
| 107 | + I -) S: PATCH /dataset (Scicat-JWT-new) |
| 108 | +
|
44 | 109 | ``` |
| 110 | + |
| 111 | +- The user doesn't pass the Scicat-JWT to the ingestor at any time. Instead, the |
| 112 | + ingestor can directly exchange the Ingestor-JWT (which is issued by keycloak and |
| 113 | + contains all needed claims) for a scicat token. |
| 114 | +- Ingestor tokens are issued with a refresh_token, allowing them to be renewed after the |
| 115 | + data transfer is complete |
| 116 | + |
| 117 | +## Changes |
| 118 | + |
| 119 | +- Accept Ingestor-JWT as a valid login method. This may require token exchange, since |
| 120 | + scicat and the ingestor have different clientIds |
0 commit comments