JIRA Issue

[#XCI-496] SSH with OAuth (OIDC/OAuth SSH service and client)

[XCI-496] SSH with OAuth (OIDC/OAuth SSH service and client) Created: 10/29/2018  Updated: 12/08/2021

Status: Design
Project: XSEDE Cyberinfrastructure Integration
Component/s: Globus Auth SSH
Fix Version/s: PY8 (Sep '18 - Aug '19), PY9 (Sep '19 - Aug '20)

Type: XCI New Capability Priority: Normal
Reporter: Lee Liming Assignee: Lee Liming
Resolution: Unresolved Votes: 1

Issue Links:
Associated bugs and stories
associated with XCI-751 OAuth based SSH login capability inte... Cancelled
blocks XCI-694 Add SciTokens support to SSH with OAuth Design
XCI Deliverable
has deliverable XCI-572 Prepare repo for SSH with OAuth code Closed
has deliverable XCI-498 OAuth-SSH alternative to XSEDE SSO Hub Cancelled
has deliverable XCI-499 OAuth-SSH User Documentation for XUP Backlog
has deliverable XCI-497 OAuth-SSH deployment plan for SSH ser... In Progress
has deliverable XCI-196 Deliver XSEDE user to OAuth identity ... Closed
XCI Design
implements design from XCI-501 Security review for Globus Connect Se... Closed
Target Operator:
Campus Resource Operators, XSEDE Enterprise Services, XSEDE Service Providers
XSEDE Priority: -
XSEDE Areas:
RACD Integration Services, RACD Security
Use Case Priority: High
Discussion Thread: https://software.xsede.org/discussion-forums/xci-496
Public activity link: https://software.xsede.org/display/xci-496
Devel Repository:
Use Cases:
CAN-04: Open a command shell on a login server (web browser), CAN-06: Authenticate with an application, CB-08: Use a community login service with campus login servers, DA-02: Prepare data for analysis, DA-03: Analyze data from research instruments, DA-04: Analyze data generated by a simulation, DA-05: Steer a large computation while it runs, HPC-01: Use a single HPC resource for a research project, HPC-02: Use two or more HPC resources for a research project, HTC-01: Run a set of independent jobs on an HTC resource, HTC-02: Run a set of interrelated jobs on an HTC resource, IDM-14: SSH access using a community identity for education, VIS-01: Visualize research data using streaming video, VIS-02: Visualize research data using streaming geometry data, VIS-03: Generate visualization data for later viewing, VIS-04: Visualize and steer a simulation running on a remote resource, VIS-05: Visualize a simulation as it runs on a remote resource
Effort and Costs:
Staff Name (Lastname, Firstname) Effort (person weeks) Roles or Contributions Status
Liming, Lee 1 one week of effort to lead and implement the activity (required) none
Liming, Lee 2.8 three weeks of effort to draft the design documents (one for adding OAuth-SSH to SP SSH services, another for SSO Hub changes/replacement) none
Navarro, JP 0.4 two days to initiate a design & security review none
DSR reviewers 2 Estimated: 10 reviewers, each spending one full day to review the design & security review materials, ask questions, discuss, ultimately vote up or down: Proposed: Sakai, Storm, none
Liming, Lee 0.6 three days to respond to DSR questions & issues none

NOTE: Effort for TRR deliverables will be tracked separately in sub-task activities.

Due by Activity Deliverable
DSR Design document*
TRR OAuth-SSH software & docs (from Globus)
TRR Mapfile generator tool (from XSEDE)**
TRR Deployment plan for SP admins**
TRR Deployment plan for XSEDE SSO Hub**
TRR Test plan*
TRR User documentation for XUP/XSEDE website**
TRR (post) TRR Baseline* (Shava)
Deployment Deployment Baseline* (Shava)
Deployment Test Report* (Shava)

( * ) Click on "Deliverables" tab for URL.

( ** ) See linked issues for details & deliverables.

Planned Launch Date:
Actual Launch Date:
Planned Design Review Date:
Planned Test Readiness Review Date:
Planned Complete Date:
Activity Lead: Lee Liming
Lead Tester: Shava Smallen


This activity will prepare and test OAuth-SSH for use by XSEDE SPs and a new or updated XSEDE SSO Hub, based on the final release of OAuth-SSH. OAuth-SSH is SSH using OpenID Connect (OIDC) authentication and OAuth 2.0 access tokens. This is the authentication used by XSEDE's Web SSO service.

When Globus announced its end-of-support for the Globus Toolkit, that included GSI-OpenSSH, which is SSH based on X.509 authentication. Most XSEDE SPs and the XSEDE SSO Hub use GSI-OpenSSH for their SSH (remote login) services.  While support for GSI-OpenSSH may continue via open source community contributions, we are exploring other options for the future of XSEDE's SSH services.


There are comments for XCI-496 that can be viewed with XSEDE authentication.