# SciTokens: Demonstrating Capability-Based Access to Remote Scientific   Data using HTCondor

**Authors:** Alex Withers (NCSA), Brian Bockelman (Morgridge Institute for, Research), Derek Weitzel (University of Nebraska-Lincoln), Duncan Brown, (Syracuse University), Jason Patton (University of Wisconsin-Madison), Jeff, Gaynor (NCSA), Jim Basney (NCSA), Todd Tannenbaum (University of, Wisconsin-Madison), You Alex Gao (University of Illinois), Zach Miller, (University of Wisconsin-Madison)

arXiv: 1905.09816 · 2019-05-27

## TL;DR

SciTokens introduces a secure, capability-based authorization system using OAuth tokens for distributed scientific computing, improving credential management, security, and interoperability across diverse computing resources.

## Contribution

The paper presents an open source implementation of SciTokens, demonstrating its deployment in the Open Science Grid and enhancements in HTCondor for secure, distributed scientific data access.

## Key findings

- Successful deployment in the Open Science Grid
- Enhanced OAuth support in HTCondor 8.8
- Improved security and interoperability for scientific workflows

## Abstract

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. SciTokens introduces a capabilities-based authorization infrastructure for distributed scientific computing, to help scientists manage their security credentials more reliably and securely. SciTokens uses IETF-standard OAuth JSON Web Tokens for capability-based secure access to remote scientific data. These access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.   In this extended abstract, we present the results over the past year of our open source implementation of the SciTokens model and its deployment in the Open Science Grid, including new OAuth support added in the HTCondor 8.8 release series.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.09816/full.md

## Figures

3 figures with captions in the complete paper: https://tomesphere.com/paper/1905.09816/full.md

## References

13 references — full list in the complete paper: https://tomesphere.com/paper/1905.09816/full.md

---
Source: https://tomesphere.com/paper/1905.09816