Authentication and Authorization

All interactions with Globus Action Providers and Globus Flows are authenticated by Globus Auth.

Tokens provided by Globus Auth authenticate the user and provide limited authorization semantics. Roles established within the Globus Flows service provide richer authorization capabilities for flows and runs.

Authentication

Globus Flows APIs require the use of OAuth2 access tokens issued by Globus Auth unless stated otherwise.

Tokens must be requested with one or more of the Globus Flows scopes listed below, or for a scope associated with a specific flow.

Once obtained, the access token needs to be passed in the Authorization header with the method Bearer:

Authorization: Bearer <access_token>

For example, using curl:

curl -H "Authorization: Bearer $TOKEN" https://flows.automate.globus.org/

Service Scopes

The following scopes are those which belong to the Globus Flows service, giving tokens with these scopes capabilities to manipulate flows and runs.

Name Scope String Definition

all

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/all

Grants all capabilities of the Flows service, except those which require a flow-specific scope

manage_flows

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/manage_flows

Grants ability to manage flows

view_flows

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/view_flows

Grants ability to view flows

run

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run

Grants ability to run flows.

CAUTION: This scope only supports basic flows with no external action references. Most flows will require the use of Flow Scopes

run_status

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run_status

Grants ability to check the status of runs

run_manage

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run_manage

Grants ability to manage runs

Flow Scopes

In addition to the service scopes, each flow has its own scope which is named based on the flow ID.

These scopes can be requested from the flow itself or via a supported Globus SDK.

For example, to get the scope for a flow with ID f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e using an authenticated curl and the jq tool:

curl -s -H "Authorization: Bearer $TOKEN" \
    "https://flows.automate.globus.org/flows/f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e" \
    | jq -r '.globus_auth_scope'

Or via the globus CLI:

globus flows show "f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e" \
    --jmespath 'globus_auth_scope' -Funix

The flow's specific scope is used to start runs of the flow.