Meeting held 2018-05-24 that is driving the need to implement OAuth identity mappings.
Jason Alt wrote:
I wanted to share some information on where we are to make sure we are in sync: https://docs.google.com/document/d/1gvgBnv_CXDBZ9SAjqWWFJKGvaOyOxvD9tIc5u9RED_c/edit?usp=sharing. There's a lot of background information in that document but ultimately, it's the account portion (bolded as 'discussion') at the end of the document that is the crux of the meeting.
#1 question for me is: can we find an approach that works for both Globus SSH and Globus Transfer rather than just solving it for Globus SSH today and waiting to solve it for OAuth-based Globus Transfer some time later?
You are right, both product lines should make use of the same information. There are similarities with our account mappings that we are baking into SSH and GCSv5. SSH requires the information client-side, GCSv5 will require it server-side. Perhaps there is an Xsede use case for Transfer that I'm not aware of?
Takeaways from that meeting:
Next steps are to discuss consent and login flows for users and the user experience around that. Finally, XSEDE will want a LOA (level of assurance) setting to reasonably ensure that the user is THE user (mimic hub policy to login/logout daily, LOA will mimic proxy expiration, likely via forced re authentication of the user on some cadence). All of this is planned post initial beta.