Distributed web security for science gateways

Abstract

Science gateways broaden and simplify access to cyberinfrastructure (CI) by providing advanced interfaces to collaboration, analysis, data management, and other tools for students and researchers. As these science gateway interfaces to cyberinfrastructure grow in popularity, web portal developers adopt ad hoc approaches to the security challenges of authentication, authorization, and delegation. Science gateways integrate cyberinfrastructure resources on the researcher's behalf, i.e., accessing data, compute cycles, instruments, and other valuable resources. Resource access often requires use of the researcher's security credentials, in some cases exposing the researcher's long-lived password to potential compromise at the science gateway. There is no standard approach for a researcher to control and limit a science gateway's access to his or her resources. Thus, researchers are required to accept unnecessary risks when using science gateways.The Distributed Web Security for Science Gateways project is addressing these risks by providing authorization and delegation software for science gateways that complies with the Internet Engineering Task Force's standard OAuth protocol. The project is developing an OAuth server implementation and a set of client libraries and authentication modules to enable out of the box integration with common Web platforms, in coordination with gateways and cyberinfrastructure providers. In this paper, we introduce the project, including our planned software architecture.