NSF supports NCSA researchers’ “SciTokens” secure authorization project

08.10.17 -

Have you ever forgotten the password for one of your dozens of online accounts? You likely wasted time trying different variations of what you were sure was the password, until eventually you just reset it. And when you reset it, did you choose a simple password that you would be able to remember more easily, potentially compromising the security of your account? Well, it turns out that some computational scientists do the exact same thing.

The management of security credentials such as passwords and secret keys for computational science workflows is a burden for scientists and information security officers. Problems with security credentials (e.g., expiration, privilege mismatch) cause the workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In an effort to avoid these problems, scientists often use long-lived, highly-privileged credentials (e.g., enabling the workflow to fully impersonate their identity), increasing risks to their accounts and to the underlying computational infrastructure, resulting in complexity for information security officers managing the infrastructure.

To address this problem, Jim Basney of the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign, along with co-PIs Alexander Withers (also at NCSA), Brian Bockelman of the University of Nebraska-Lincoln, Duncan Brown of Syracuse University, and Todd Tannenbaum of the University of Wisconsin-Madison, have been awarded $1 million by the National Science Foundation (NSF) to develop open source software known as SciTokens to help scientists manage their security credentials in a more reliable and secure manner.

The SciTokens Project will use common web technologies, such as OAuth 2.0 and JSON Web Tokens, to create a new authorization approach at scale focused on the decentralized environment found in large scientific collaborations. Users logged in to a specific host will generate a refresh token and store it on the local token manager. They then submit jobs to the local queue manager. When the queue manager is prepared to execute the user's jobs, it contacts the token manager to create an access token. The access token is sent to the execute host and placed in the job runtime environment. When the job subsequently attempts to access data, it utilizes the access token to gain authorization.

The SciTokens Project includes participants from two major science collaborations: the Laser Interferometer Gravitational-Wave Observatory Scientific Collaboration and the Large Synoptic Survey Telescope project. It also includes participants from the HTCondor, Open Science Grid (OSG), and Extreme Science and Engineering Discovery Environment (XSEDE) projects. The project will promote adoption by integrating SciTokens into the widely-used HTCondor software and into the nation's cyberinfrastructure (e.g., OSG and XSEDE).

"The SciTokens project is launching at an opportune moment, with mature web security technologies now available to meet the challenging needs of science workflows," said Principal Investigator Jim Basney. "The open source SciTokens software will help science projects migrate to these technologies, to enable more productive and secure scientific research."