Skip to main content

OIDC Authentication

Leveraging the OpenID Connect (OIDC) protocol, users can log in to Galaxy using their identity providers that support OIDC (e.g. Google, Keycloak, Elixir, ...). Azure AD used ORNL for laboratory-wide authentication supports OIDC, so we configured Galaxy to use it.

Aside from logging in, OIDC tokens are used in multiple places to allow seamless user access to computational resources.

This document describes the configuration required to enable OIDC in Galaxy.

Setting up OIDC support in Galaxy

In your Galaxy install, you'll want to navigate to the top-level config directory. Here you want to make sure that your galaxy.yml has the following lines:

galaxy.yml
  enable_oidc: true
  oidc_config_file: oidc_config.xml
  oidc_backends_config_file: oidc_backends_config.xml

See deployment Calvera project for the two config files, oidc_config.xml and oidc_backends_config.xml (these are templates, actual values as stored in configuration or in secret files).

Setting up file source supporting OIDC authentication

You need to add a line to galaxy.yml file

galaxy.yml
  file_sources_config_file: file_sources_conf.yml"

and add a file source with type sshoidc - see file_sources_conf.yml. sshoidc is a plugin that connects to a remote server using scp protocol and uses OIDC ID token as the authentication method.

note

The remote server must support such an authentication method. We implemented PAM OIDC module for that.

Exposing OIDC tokens in a tool

A tool, if needed, can have access to OIDC tokens. In this case tokens are injected as environment variables. See get tokens tool for example.

caution

ID and access tokens have a very short lifetime (usually 5-30 minutes), so it is possible that exposed tokens expire before a job for the tool starts. Refresh tokens have longer lifetime, but you need access to identity provider secrets to refresh tokens from the tool. We do this in Import OnCat tool but this is kind of a hack and shouldn't be used too often.

Using OIDC tokens in Pulsar

OIDC tokens obtained during login to Galaxy can be used when running distributed jobs via Pulsar. This way, we enable access to all resources using single sign-on. Galaxy provides an extra API endpoint for Pulsar to get an ID token (see the design document for more information).

To configure user authentication using OIDC in Pulsar, add the corresponding section to app.yml file, for example:

user_auth:
  authentication:
    - type: oidc
      oidc_jwks_url: xxxxx
      oidc_provider: xxxxx
      oidc_username_in_token: preferred_username
      oidc_username_template: *
  authorization:
    - type: userlist
      userlist_allowed_users:
        - xxx
note

We only use OIDC for authentication in this example. As a result, we obtain a username, which can be used by the authorization plugin to check access rights. See deployment repo for a real example.

note

In the future, OIDC tokens can be used for authorization and for data access as well.