ORNL
Epic - Generic OAuth2/OIDC Support
Description
Currently DataFed only supports Globus for authorization, and only generic user/pass authentication for the Python API. This needs to be updated to support OAuth2/OIDC from an arbitrary provider for both authorization and authentication as Metadata Mode will not require Globus at all, and other organizations may use their own IdP solution, and as DataFed we do not want to be responsible for storing user passwords with basic authorization for the Python API. The basic authorization will be replaced with the OAuth2 device authorization flow. The current plan is to implement this feature in the new Rust backend and proxy responses to the Core API so that we can start to move into the new backend incrementally.
PingFederate has been selected as the IdP that we will officially support and provide configuration for, however any IdP that is properly configured should suffice, and documentation will be provided on what configuration is necessary.
Acceptance Criteria
- [ ] Reliance on Globus authorization removed
- [ ] Generic OAuth2 Support added
- [ ] Device Authorization Flow implemented and tested
- [ ] Unit/End-to-end tests implemented
