DIRAC: OIDC/OAuth2 based security framework
October 25, 2023
The DIRAC Interware is the framework for building distributed computing systems which allows to integrate various kinds of computing and storage resources in a transparent way from the user’s perspective. Up until recently, the client communications with DIRAC were based on a custom protocol using X.509 PKI certificates. Following the recent move towards OIDC/OAuth2 based security infrastructure, the DIRAC client/server protocol was enhanced to support both proxy certificates and tokens. The new framework has components for user authentication and authorization with respect to the DIRAC services. It also has a Token Manager service for maintaining long-living tokens necessary to support asynchronous operations on the user’s behalf. The tokens now can be used to access computing resources such as HTCondorCE and ARC Computing Elements as well as cloud sites. Enabling access to the storage resources and other third-party services is currently under intensive development.
In this paper we describe the architecture of the DIRAC security framework together with various aspects of its implementation. The choice of the solutions is largely motivated by the requirement of continuity of the DIRAC services already in production and transparency of changes for the end users. The usage of OAuth2 tokens in dedicated or multi-community DIRAC services as well as the necessity to support multiple Identity Provider services is discussed. We also provide an outlook of future development plans with the goal to achieve a complete, scalable and user-friendly security framework for the DIRAC Interware project.
How to cite
Metadata are provided both in "article" format (very similar to INSPIRE) as this helps creating
very compact bibliographies which can be beneficial to authors and
readers, and in "proceeding" format
which is more detailed and complete.