data-security
data-security copied to clipboard
ga4gh
Task-Specific Tokens
Describe an authorization pattern in which a Passport Clearinghouse on a data analysis platform or research environment issues or obtains a new token specific to the data sets referenced by the workflow, task, or interactive analysis, i.e. a task-specific token.
To obtain a task-specific token, these steps are necessary:
- Data repository: Store Researcher Passport Visas and and synchronize any permissions or authorization metadata e.g. principal groups
- Analysis platform: Call authorization server. Specify researcher identity or researcher passport and the data sets needed by the task.
- Authorization server: Return token(s) to reference the authorized and referenced data
sequenceDiagram
autonumber
actor RA as Researcher
participant RE as Research Environment
participant PB as Passport Broker<br>Identity Provider
participant TE as Task Execution
box Data Repository
participant AS as Authorization API
participant DS as Access API<br>e.g. FHIR
participant DR as Data Repository
end
RA->>RE: Log In
RE->>PB: Log in
PB->>RE: Authenticated
RE->>PB: Request Passport
PB->>RE: Passport (Identity and Visas)
RE->>RA: Authenticated
RA--)+RE: Start Task T
RE->>TE: What Data Does T Use?
TE->>RE: T Data Refs
RE->>AS: Passport (Identity and Visas), T Data Refs
AS->>DR: Set permissions
DR->>AS: Success
AS--)AS: Set expiration timer
AS->>RE: Task-Specific Token
RE--)+TE: Start Task T
TE--)RE: Task Execution Started
RE--)-RA: Task Execution Started
loop
TE->>DS: Request Data
DS->>DR: Request Data
DR->>DS: Data
DS->>TE: Data
end
The research environment sets data permissions to allow the researcher to access the needed authorized data sets. These permissions are stored with the data repository and a token is returned. The token is small and refers to the cached set of permissions. The token can then be sent over an HTTP header and used to authorize requests to obtain the data.
