Authentication Specification

[lmarinve]

Authentication was implemented by outsourcing to the Internet2 CILogon federated identity management service such that users can log in to the AW-SDX with credentials from their home institutions. Our implementation is customized to fit into the existing Flask web application framework that the AW-SDX portal and API are based on. As shown in the Figure 11, we added two containers running a Vouch Proxy server and a Nginx web server to the SDX system to enable authentication using CILogon for users to gain the access to the AW-SDX web applications (portal and APIs).
As shown in Figure. 11, the authentication subsystem consists of a Nginx web server, a Vouch-Proxy server, and the application (SDX Controller), each of which runs in a separate Docker container. Vouch-proxy is a general OAuth/OIDC (Open Authentication/OpenID Connect)) login solution that supports many IdP (Identity Providers) including the CILogon Service that we chose to use. The login workflow consists of the following steps: (1) User visits the SDX web site from a local browser; (2) the Nginx reverse proxy server proxies the request to the Vouch server. (3) Vouch server maintains the state of this Login session. (3.a) If it’s validated already, it returns a validate JWT (JSON Web Token) to allow the user to access the SDX service; (3.b) If not validated, the Vouch server will proxy the user to the CILogon; (4) the user can then log in using his/her home institute’s login service. (5) the Vouch service returns the validation back to the Nginx server.
Outcome: Packaging and documentation were completed for the final release of the AW-SDX1.0.