Authentication and authorisation

GWDataFind servers can be operated in a number of authorisation modes depending on the access controls required.

The supported modes are detailed below.

No auth

GWDataFind servers can be operated without requiring any authorisation credentials. An example of this in production is the GWDataFind server operated for the GW Open Science Center (GWOSC):

SciTokens

GWDataFind servers may be operated with support for SciTokens, an implementation of JSON Web Tokens designed for distributed scientific computing.

When using the API, the following keyword arguments can be used with all functions to control the use of SciTokens:

token

Default: None

A bearer token (scitokens.scitokens.SciToken) to use to authorise the request.

Pass token=False to disable any use of SciTokens.

token_audience

Default: <host> (i.e. the value of the host keyword)

The expected value of the aud token claim, which should match the fully-qualified URL of the GWDataFind host.

token_scope

Default: "gwdatafind.read"

The expected value of scope token claim. At the time of writing, only "gwdatafind.read" is supported.

See also

For full details on token arguments and how they are parsed, see igwn_auth_utils.Session.

SciTokens for IGWN

SciTokens are the primary authorisation credential supported by the International Gravitational-Wave Observatory Network (IGWN), replace X.509.

If you can use scitokens instead of X.509, please do so.

For full details on SciTokens for IGWN, please see https://computing.docs.ligo.org/guide/auth/scitokens/.

X.509

GWDataFind servers may also be configured to accept X.509 certificates or proxies as authorisation credentials. This requires the X.509 credential _subject_ to be known to the server ahead of time.

When using the API, the following keyword arguments can be used to control the use of X.509 credentials:

cert

Default: the value returned by igwn_auth_utils.find_x509_credentials() (or None)

The path to an X.509 credential file.

Pass cert=False to disable any use of X.509 credentials.

Warning

X.509 as an authorisation credential is being deprecated by IGWN in favour of SciTokens.

If you can use scitokens instead of X.509, please do so.

For full details on X.509 for IGWN, please see https://computing.docs.ligo.org/guide/auth/x509/.