Globus Auth User Guide

In today’s research computing landscape, scientists and researchers often need to access data and computational resources across multiple institutions and facilities. Each organization typically maintains its own authentication system, creating a complex web of credentials and permissions that users must navigate. Globus Auth solves this challenge by serving as a trusted intermediary that brokers secure interactions across the entire ecosystem.

Globus Auth is a comprehensive OAuth 2.0 authorization and OpenID Connect (OIDC) 1.0 authentication service that connects users, applications, APIs, and automation agents in a seamless and secure manner. Rather than requiring users to create yet another username and password, Globus Auth works with existing institutional credentials, allowing researchers to authenticate once and access multiple services.

The power of Globus Auth lies in its flexibility and standards-based approach. It’s not just for Globus services—anyone can use it to secure their own APIs and applications. This makes it particularly valuable for collaborative science projects where researchers need to share data and computational resources across organizational boundaries.

Key Features:

Built on OAuth 2.0 and OIDC 1.0 standards, compatible with modern web applications
Standalone service available to anyone for securing APIs and applications
Web-first design using REST APIs and JSON Web Tokens (JWTs) for easy integration
Support for federated authentication across hundreds of institutions worldwide

Auth Documentation: https://docs.globus.org/api/auth/
Python SDK: https://globus-sdk-python.readthedocs.io/en/stable/services/auth.html
JavaScript SDK: https://github.com/globus/globus-sdk-javascript#readme

Table of Contents

How Globus Auth Works
Authentication Framework
- OAuth 2.0 Implementation
- OpenID Connect Support
Federated Authentication
- Supported Identity Providers for Login
- Non-login Identity Providers
Getting Started
Building Client Applications
Securing APIs
Advanced Features
Token Operations
- Token Types
- Token Lifecycle
Best Practices
Additional Resources
Support

How Globus Auth Works

Understanding how Globus Auth operates helps demystify the authentication and authorization process. At its core, Globus Auth acts as a trusted broker between users who want to access resources and the APIs that control those resources. This brokering model means that your API never needs to handle user passwords directly—a significant security advantage.

The basic flow involves the following steps:

Login and consent - A user authenticates with their home institution (or another identity provider) and Globus Auth receives an ID token. This token asserts the user’s identity, and any attributes the identity provider sends to Globus Auth. The user is then presented with a consent prompt to allow the web application to access the API on their behalf.
Issue access tokens - Once a consent is in place, Globus Auth issues an access token. This token is scoped for use by the web application to access specific APIs (token scope) on behalf of the user.
API Call with Token - When the application needs to access an API on behalf of the user, it includes this token in the request.
Validate Token - The API receiving the request doesn’t blindly trust the token. Instead, it asks Globus Auth to verify that the token is valid, hasn’t expired, and was actually issued for this specific API. Globus Auth responds with the user’s identity and the consent they’ve granted for the application to access the service on their behalf.
API Response - With the token validated and the user’s permissions confirmed, the API can safely process the request and return the appropriate data or perform the requested action.

This pattern might seem complex at first, but it provides several crucial benefits: users don’t need to share their passwords with every application they use, applications don’t need to implement their own authentication systems, and APIs can trust that the requests they receive are legitimate without maintaining their own user databases.

Authentication Framework

OAuth 2.0 Implementation

OAuth 2.0 has become the industry standard for authorization on the web, and for good reason. It provides a secure way for applications to access resources on behalf of users without ever seeing their credentials. Globus Auth implements the OAuth 2.0 specification with some enhancements for handling multiple identities for a user, and service to service call chains. Globus Auth allows users to grant specific, limited permissions to applications. Users maintain control over what each application can do on their behalf, and they can revoke those permissions at any time.

Globus Auth provides a complete OAuth 2.0 service with:

Secure API access using access tokens - These short-lived credentials prove that a user has authorized an application to act on their behalf
End-user consent at the core of the protocol - Users explicitly see and approve what permissions they’re granting
Multiple token grant methods for different scenarios, whether you’re building a web portal, a command-line tool, or an automated workflow system
Refresh tokens for long-term asynchronous operations - Essential for scientific workflows that might run for hours, days, or even weeks
Dependent tokens for secure API-to-API communication - Allows your API to call other APIs while maintaining the security chain
Self-service registration - Developers can register their APIs and applications without requiring manual approval processes

OpenID Connect Support

While OAuth 2.0 handles authorization (what you’re allowed to do), OpenID Connect (OIDC) adds a standardized layer for authentication (who you are). This distinction is important: just because an application knows what permissions you’ve granted doesn’t necessarily mean it knows your identity or how you authenticated.

Globus Auth implements OIDC 1.0 to provide rich identity information:

Federated authentication support - Users can authenticate with their home institution’s credentials, whether that’s a university, a national laboratory, or another trusted organization
ID token issuance - Applications receive standardized tokens containing identity information that has been cryptographically signed by Globus Auth
No new credential creation - Globus Auth never asks users to create a new password. Instead, it leverages existing institutional credentials, reducing password fatigue and security risks
Rich identity attributes - Applications can learn not just who the user is, but also when they authenticated, what method they used (including whether multi-factor authentication was employed), and what linked identities they might have

Federated Authentication

One of the most powerful features of Globus Auth is its support for federated authentication. In a federated model, users don’t authenticate directly with Globus—instead, they authenticate with their home institution or another trusted identity provider, and that provider vouches for their identity to Globus Auth. This creates a chain of trust that respects organizational boundaries while enabling seamless access across them.

The beauty of federation is that it leverages existing investments in identity management. Universities and research institutions have already spent considerable effort managing their user directories, implementing multi-factor authentication, and establishing security policies. Globus Auth builds on top of this infrastructure rather than replacing it.

Supported Identity Providers for Login

Globus Auth integrates with a diverse ecosystem of identity providers to meet researchers where they are:

InCommon/eduGAIN - This is the primary federation for academic and research institutions. Through CILogon, which translates between SAML (the protocol many institutional enterprise IdPs use) and OIDC (the standard that Globus Auth uses), thousands of institutions worldwide can authenticate their users with Globus Auth. If your institution is part of InCommon or the global eduGAIN federation, your users can log in with their campus credentials.

Direct Institutional IdPs - 50+ research facilities have established direct integration with Globus Auth instead of participating in InCommon. These organizations provide OIDC authentication interfaces rather than SAML, which is required by InCommon.

Identity Providers of Last Resort- Recognizing that not everyone has access to an institutional identity, Globus Auth also supports a few widely-used identity providers:

Google - Useful for individual researchers and small teams
ORCID - The scholarly identifier used by researchers worldwide, making it particularly relevant for academic collaborations
GitHub - Popular among computational scientists and developers

This multi-provider approach ensures that virtually anyone who needs to participate in scientific collaboration can authenticate in a way that makes sense for them.

Non-login Identity Providers

Globus Auth enables institutions to integrate their own identity providers with specific resources they deploy. These providers use the OpenID Connect (OIDC) protocol, but are not permitted for logging into Globus services themselves.

For example, consider a department that wishes to secure access to a specialized resource. The department may operate an identity provider linked to its own authentication system—such as LDAP—and manage an OIDC server for handling user authentication. By registering this OIDC server with Globus Auth, the department ensures that users must authenticate with its identity provider to access departmental resources.

In practice, a user first signs in to Globus using one of the more than 2,000 supported identity providers. However, when the user tries to access a department-specific resource, they are prompted to authenticate again—this time using the department’s designated identity provider. This approach allows institutions to retain control over access to their own resources, while Globus continues to manage service-level authentication separately.

Getting Started

Starting with Globus Auth doesn’t require a massive upfront investment. You can begin with a small proof of concept, learn the patterns, and gradually expand your integration as you understand the system better. Here’s a practical path forward:

1. Create a Globus Account

If you don’t already have one, start by creating a Globus account at https://www.globus.org/. You can authenticate with your institutional credentials if your organization is federated with Globus, or use Google, ORCID, or GitHub. This gives you access to the Globus developer console where you’ll register your applications and APIs. (Click Settings → {} Developers.) Take some time to explore the console and familiarize yourself with the interface—understanding where things are will save time later.

2. Register your application or API

Use the Globus Auth developer console to register your project. Start with the basics: give your application a clear name and description that users will see when granting consent. If you’re building a confidential client (a backend application that can store secrets securely), you’ll receive a client secret—store this securely immediately. For public clients like browser-based applications, you’ll configure your application without a secret.

Think carefully about your redirect URIs at this stage. For development, you’ll want localhost URIs, but plan ahead for production deployment. It’s frustrating to realize you need to update your registration every time you change hosting configurations, so consider using configuration that will remain stable.

Refer to sections on building client applications, or securing APIs, later in the document for details.

3. Review documentation

Before diving into implementation, spend time with the documentation at https://docs.globus.org/getting-started/developers/. The developer guide walks through common patterns and includes code examples in multiple languages. The reference documentation provides detailed specifications for every API endpoint and token claim. Understanding the conceptual model before you start coding will save hours of debugging later. Pay particular attention to the sections on the authentication flow you’ll be using—the authorization code flow for web applications, PKCE for public clients, or client credentials for application-level access.

4. Implement your authentication flow

Start with a minimal implementation that just handles authentication and token acquisition. Don’t try to build your full application logic while also learning OAuth—get authentication working first in isolation. Many developers find it helpful to build a simple test application that does nothing but authenticate users and display the tokens it receives. This lets you verify that your OAuth implementation is correct before adding the complexity of your actual application logic.

For web applications, implement the full redirect flow: redirecting users to Globus Auth, handling the callback with the authorization code, exchanging the code for tokens, and storing the tokens securely in your session. For API development, implement token introspection and claim validation. Make sure you’re checking all the claims that matter, not just token expiration.

Refer to sections on building client applications, or securing APIs, later in the document for details. Also, refer to the advanced features section to learn about other capabilities you can use to secure your application or services.

5. Test your integration

Testing OAuth flows requires some creativity since they involve browser redirects and user interaction. Start by testing with your own account in different scenarios: fresh authentication with no existing session, authentication when you already have a session, and authentication after clearing your Globus Auth session to force re-authentication. Test the consent flow by requesting different scopes and verifying that users see appropriate consent screens.

If you’ve implemented token refresh, test that explicitly by waiting for an access token to expire (or by manipulating token lifetimes in your code during testing) and verifying that refresh works correctly. Test error cases too: what happens if a refresh token is invalid or expired? Does your application handle this gracefully?

For API testing, verify your token validation logic by presenting intentionally invalid tokens: expired tokens, tokens meant for different APIs, tokens without required scopes. Your API should reject all of these with appropriate error messages.

As you gain confidence, expand your testing to include edge cases: users with multiple linked identities, users who cancel the consent screen, network failures during token operations. Production systems need to handle these situations gracefully, so test them during development when debugging is easier.

Consider building automated tests for your OAuth implementation, but recognize that testing OAuth flows is challenging because they involve browser redirects and user interaction. Many developers use a combination of unit tests (for token validation logic), integration tests (for API calls with test tokens), and manual testing (for the full authentication flow).

Remember that testing with Globus Auth is testing against a real service, not a mock. Be respectful of the service: don’t hammer it with thousands of rapid requests during testing. If you need high-volume testing, contact Globus support to discuss appropriate approaches.

Building Client Applications

If you’re developing an application that needs to access Globus Auth secured APIs, the registration process is similar to securing an API but instead of validating incoming tokens, you’re obtaining tokens on behalf of your users. The authentication flow you choose depends critically on what kind of application you’re building. For example, a web application, command line client or automation script all have different security and interaction modalities.

Following are some of the actions any client application does to access the service:

Obtain client tokens - access tokens for APIs with the application’s identity
Obtain user tokens - ID, access, refresh tokens for APIs w/user’s identity
Obtain and use refresh tokens to replace expired access tokens
Logout - revoke tokens and close session

Step 1: Register Your Application

Application registration establishes your application’s identity in the Globus Auth ecosystem. This is more than just administrative bookkeeping—it’s how Globus Auth knows which authentication flows your application is allowed to use and what security controls should apply. Additionally, the application’s identity can be granted permissions within the Globus ecosystem, for cases where the application can act as itself.

When you register, you’ll configure:

A unique client ID - Your application’s identity
Secret - For confidential clients (applications that can securely store secrets), you’ll manage credentials that prove your application’s identity
Team role assignments - Delegate management responsibilities to other developers
Authentication preferences - Configure how you want authentication to work for your users
Authentication policies - Set requirements like MFA or domain restrictions that users must satisfy

In some cases, the registration process also involves declaring your redirect URIs—the URLs where Globus Auth should send users after they’ve completed authentication. This is a crucial security control: by pre-registering these URIs, you prevent attackers from intercepting authentication responses by tricking the system into sending tokens to malicious sites.

App Registration: https://docs.globus.org/api/auth/developer-guide/#register-app

Step 2: Choose Your Authentication Flow

Not all applications are created equal from a security perspective. A web application running on a server you control can keep secrets secure in ways that a browser-based application or mobile app simply cannot. OAuth 2.0 recognizes these differences and provides different authentication flows optimized for each scenario.

The table show two scenarios for each type of application: a) where the application has to act as itself (application authentication), and (b) where the application acts on behalf of the user (user authentication)

Type of application	Description	Application authentication	User authentication
Hosted web application	Execute on a web server (backend apps)	Client credential grant	Authorization code grant
Web clients	Clients that are distributed and execute in browser (front end apps)	OAuth public client	PKCE
Thick clients	Command line scripts/mobile apps	Client credential grant	PKCE

Hosted Web Applications (Backend Applications)

These are traditional web applications where the application logic runs on your servers. Users interact with your application through their browser, but the critical OAuth operations happen server-side where you can protect credentials. For these applications:

App Authentication uses Client Credentials Grant - When your application needs to act as itself (not on behalf of a user), it uses its client ID and secret to obtain tokens directly.
User Authentication uses Authorization Code Grant - When a user needs to authenticate, your application redirects their browser to Globus Auth. After authentication and consent, Globus Auth redirects back to your application with an authorization code. Your server then exchanges this code for tokens in a secure server-to-server request that includes your client secret. Because the tokens are obtained server-side, they never pass through the user’s browser where they could be intercepted.

Distributed Web Clients (Frontend/Browser Applications)

Single-page applications and modern JavaScript frameworks present a security challenge: all their code runs in the user’s browser, where anyone can inspect it. This means you can’t securely embed a client secret in the application—it would be visible to anyone who looked. For these applications:

App Authentication uses OAuth Public Client - These applications register as "public clients" that don’t have secrets. They’re identified solely by their client ID.
User Authentication uses PKCE (Proof Key for Code Exchange) - This is a variant of the authorization code flow designed specifically for public clients. The application generates a random secret for each authentication attempt, proving that the same client that started the authentication flow is the one completing it. This prevents certain types of attacks that public clients would otherwise be vulnerable to.

Thick Clients (Command Line and Mobile Applications)

Command-line tools, scripts, and mobile applications combine challenges from both web scenarios. Like browser apps, they often can’t securely store secrets (especially if distributed to users). But unlike browser apps, they don’t have the benefit of a web server to handle redirects. For these applications:

App Authentication uses Client Credentials Grant - If the application can securely store secrets (perhaps in a protected configuration file on a managed system), it can use client credentials like a backend application.
User Authentication uses PKCE with additional considerations - PKCE works for these clients, but the redirect flow is more complex. The application might need to open a web browser for authentication, then capture the redirect through a local web server or custom URL scheme.

Choosing the right flow isn’t just about what’s technically possible—it’s about matching your application’s security characteristics with the appropriate OAuth pattern. Using the wrong flow can expose your users to security risks.

Step 3: Obtain User Tokens

The moment when a user authenticates is critical, and the application obtains the user token from Globus Auth and uses it to access the API. Understanding the user authentication flow helps you design better user experiences and handle edge cases gracefully. The complete user authentication flow unfolds like a carefully choreographed dance between your application, the user’s browser, and Globus Auth, shown in Figure 1.

Figure 1. A person logs into a web application that requires a token for "MY_API." The person selects her home institution for authentication and grants her consent for the application to use MY_API on her behalf. The web application receives the person’s identity information and an access token for MY_API.

This flow might seem elaborate, but each step serves a purpose. The indirection through Globus Auth ensures that your application never handles user credentials directly. The consent step gives users control over their data. The session and policy checks ensure that security requirements are consistently enforced.

Token Management: https://docs.globus.org/api/auth/developer-guide/#obtaining-authorization

Step 4: Obtain Application Tokens

While much of OAuth focuses on accessing resources on behalf of users, applications sometimes need to act as themselves. Consider a background job that processes data overnight, an administrative tool that manages application-level resources, or a service that aggregates information from multiple users' data.

For these scenarios, applications with private storage (confidential clients) can use the OAuth client credentials grant. This is conceptually simpler than user authentication because there’s no user involvement—the application authenticates directly with Globus Auth using its client ID and secret. The identity of the application in the Globus ecosystem is clientid@clients.auth.globus.org .

When obtaining application tokens:

Request the scopes you need - Just like with user tokens, you specify which APIs you want to access and what permissions you need
Receive tokens with application identity - The tokens you receive have your application’s client ID as the subject, not a user
Act as the application - These tokens prove your application’s identity, so any API you call will see the request as coming from your application
Ensure proper permissions - Because the subject is your application, any resources you access must have explicitly granted permissions to your application’s client ID

This distinction between acting on behalf of users and acting as yourself is fundamental to building secure multi-tenant applications. Application tokens are perfect for operations that are conceptually owned by the application itself, while user tokens should be used for any operation that involves user-specific data or permissions.

Client Credentials: https://docs.globus.org/api/auth/reference/#client_credentials_grant

Securing APIs

If you’re building a service (an API), securing it properly is essential but can be daunting. Globus Auth simplifies this process by handling the complex parts of authentication and authorization, allowing you to focus on the unique logic of your API. The process involves four key steps, each building on the previous one to create a robust security model.

Step 1: Register Your API

Before your API can use Globus Auth, you need to introduce it to the system through registration. This is similar to getting a business license—it establishes your API’s identity in the ecosystem and allows you to configure how it will interact with users and other services. You’ll use the Globus web application (www.globus.org) to perform this registration.

During registration, you’ll obtain:

A unique client ID - This serves as your API’s identity in all interactions with Globus Auth.
Secret - For APIs that need to authenticate themselves (as opposed to acting on behalf of users), you’ll manage secrets that prove your API’s identity.
Role-based management access - You can grant other team members permission to manage your API’s registration without sharing credentials.
Scope definitions - Scopes are the language of permissions in OAuth 2.0. When you define scopes like "read_data" or "submit_jobs", you’re creating the permissions that users can grant to applications. Each scope should represent a meaningful action that your API can perform.
Dependent scope registration - If your API needs to call other APIs (a common pattern in microservice architectures), you register those dependencies here. This creates a chain of consent where users know exactly what resources will be accessed.
Authentication policy configuration - This is where you configure authentication requirements for your service with Globus Auth, so the service can facilitate user interactions to meet that policy, and support enforcement by the service.

The authentication policies you can configure include:

Domain restrictions - You might require that users authenticate from specific institutions, or conversely, exclude certain domains due to policy requirements. This configuration take a pattern (e.g. include *.gov, exclude *.com)
Authentication timeout - You might require that users have authenticated within a configured timeframe, ensuring that the last authentication time meets required policy
Multi-factor authentication requirements - Modern security often demands MFA, and you can make this a hard requirement for your API.

The power of registering these policies with Globus Auth is that the system both facilitates users meeting these from the client application, and enforces them automatically. You don’t need to write code to check whether a user authenticated recently enough or used MFA—Globus Auth handles that before the request even reaches your API.

Step 2: Validate Access Tokens

When a request arrives at your API, it will include an access token in the HTTP header. This token is a compact, cryptographically signed package of information, but you shouldn’t blindly trust it. Token validation is where you ensure that the request is legitimate.

The validation process follows a clear pattern:

Extract the token from the Authorization header (typically formatted as "Bearer")
Call Globus Auth’s token introspection endpoint with the token
Examine the returned claims to make your authorization decision

The claims you’ll check include:

Issuer (iss) - Confirms the token was actually issued by Globus Auth,
Timing claims (iat, nbf, exp) - These tell you when the token was issued, when it becomes valid, and when it expires. Expired tokens should never be accepted, even if they were once valid.
Audience (aud) - This is critical: it confirms the token was issued specifically for your API. A token meant for a different API should not grant access to yours, even if it was issued to the same user.
Scopes - These tell you what actions the user has consented to. If a token has the "read_data" scope but not "delete_data", you should only allow read operations.

Globus Auth does more than just return these claims—it also validates the token against any authentication policies you registered. If your policy requires MFA and the user’s session didn’t include MFA, Globus Auth will indicate this in the introspection response, allowing you to deny access appropriately.

Since an API is likely to receive multiple calls with the same access token, it is a good practice to cache the introspection result for a short period of time (1-5 minutes). But don’t hold on to a result too long or the API may miss state changes, such as a logout or a consent revocation.

Token Introspection Reference:
https://docs.globus.org/api/auth/reference/#token-introspect

Step 3: Get User Authentication Context

With a valid token in hand, you now need to make authorization decisions based on who the user is and how they authenticated. The token provides rich context beyond just a user ID.

The key information you can extract includes:

Subject (sub) - This is the primary user identifier, uniquely identifying who is making the request
Session information - This tells you the story of how the user authenticated: which identity provider they used, what time they logged in, and crucially, what authentication methods were employed
Identity set - This is where things get interesting for research computing. A single researcher might have multiple institutional affiliations, and the identity set claim lists all the identities they’ve linked together. This means that even if they authenticated with their university credentials, you can see that they also have a linked identity at a national laboratory where they might have additional access rights.
Custom claims - Other services in the ecosystem can add their own information to tokens, creating a rich context for authorization decisions

This contextual information enables sophisticated authorization logic. For example, you might allow users from any institution to read data, but restrict job submission to users who have authenticated with MFA from specific facilities within the last 30 minutes. All of this information is readily available in the token without requiring additional database lookups or API calls.

Step 4: Access Dependent Services

Modern APIs rarely work in isolation. Your API might need to store results in a cloud storage service, send notifications through a messaging API, or submit jobs to a compute cluster. Each of these dependent services has its own security requirements, and naively passing your user’s token around creates security problems.

This is where dependent tokens shine. When you registered your API, you declared which other services you need to access. When your API receives a valid token, it can request dependent tokens specifically for those services.

The flow works like this:

User consent is collected upfront - When users first consent for an application to use your API, they see not just your API’s scope, but also the scopes of all dependent services you’ll access.
Request dependent tokens as needed - When processing a request, your API calls Globus Auth’s dependent token grant endpoint, presenting the user’s token and requesting tokens for the specific dependent services it needs to access.
Cache tokens briefly - As with token introspection above, your API should cache these dependent tokens for a short period (1-5 minutes) to handle multiple requests efficiently.
Security through token scoping - Each dependent token is scoped specifically to the service chain it’s part of. This means if your API is compromised, the exposed tokens can’t be used beyond their intended context.

This pattern might seem complex, but it solves a critical problem in distributed systems: how to maintain the chain of authorization as requests flow through multiple services. The alternative—having your API use its own credentials to access dependent services—would lose the user context entirely and couldn’t enforce user-specific permissions.

Advanced Features

The core OAuth and OIDC functionality of Globus Auth covers the fundamental needs of most applications, but scientific computing often presents unique challenges that require more sophisticated solutions. Globus Auth includes several advanced features designed specifically for the complex, multi-institutional world of scientific collaboration.

Identity Linking

In an ideal world, each person would have exactly one digital identity that worked everywhere. Reality is far messier, especially in research where a single scientist might have credentials at their home university, one or more national laboratories, their funding agency, and various other institutions. Traditionally, systems force users to pick one identity and stick with it, which inevitably causes problems when they need to access resources associated with a different identity.

Identity linking solves this by allowing users to explicitly connect their various identities into a cohesive set. Think of it as a credential wallet where all your different ID cards are kept together, and you can present whichever one is appropriate for the situation.

How identity linking works in practice:

User-assembled identity sets - Users authenticate with multiple identity providers over time, and Globus Auth remembers that these different identities all belong to the same person
Primary identity selection - Users designate one identity as primary, which serves as their canonical identifier
Rich token claims - When applications receive tokens, they can see not just the identity the user authenticated with, but their entire linked identity set
Application flexibility - Applications decide how to use this information. Some might grant access based on any of the linked identities, while others might specifically look for identities from particular domains

Consider a common scenario: A researcher at the University of Chicago collaborates with colleagues at a national laboratory. The data they’re working with lives at the lab and is protected by access controls that only recognize lab identities. Traditionally, the researcher would need to obtain a separate account at the lab, log in separately, and somehow manage permissions across two disconnected systems. With identity linking, the researcher links their university identity with their lab identity. When they authenticate with their university credentials, applications can see that they also have a lab identity and grant appropriate access to lab resources.

This becomes even more powerful when you consider that the researcher might publish data on a repository that knows them by their ORCID, submit compute jobs to a facility that knows them by their ACCESS ID, and collaborate through a portal that knows them by their GitHub account. Rather than maintaining separate workflows for each context, identity linking creates a unified experience.

Use case example: A data transfer service might show that source data at the lab requires authentication with a lab identity, while the destination repository accepts university credentials. The service can intelligently guide the user: "You’re authenticated with your University of Chicago ID, but this data source requires your lab identity. Click here to authenticate with your lab credentials, and we’ll link them together for future use."

Identity Management: https://docs.globus.org/api/auth/reference/#get_identities_resource

Authentication Policies and Identity Preferences

Globus provides built-in solutions for some of the most common policy requirements. This enables application developers to configure the policy requirement in Globus and ask Globus to enforce it, rather than writing enforcement code themselves. Applications may configure identity preferences, informing Globus which identities the application prefers Globus to return to the application. Applications may also configure authentication policies, adding requirements for the authentication such as MFA and allowed/prohibited identity domains.

Identity Preferences:

Prefer the effective ID (the identity the person actually authenticated with)
Prefer the primary ID (the person’s self-selected primary identity)
Required domain (the person’s identity from a domain specified by the application)

If a required domain is configured, authentication will only succeed if the person has an identity in the required domain. Individuals without accounts in that domain will be unable to login to the application.

Authentication Policies:

MFA requirements
Required or prohibited identity domains

Policy Configuration: https://docs.globus.org/api/auth/developer-guide/#authentication-policies

Authentication Session Context

To support cases where applications or APIs need to make customized policy decisions, Globus provides the context (details) of the authentication session. The token introspection result includes the following attributes for each authentication in the session. (Sessions may include multiple authentication events.)

Identity provider used
Identity returned
Authentication timestamp
Authentication method (including MFA details)

Enable enforcement of custom policies:

"Must have authenticated within last 30 minutes"
"Must have used MFA"
"Must have authenticated with identity X, with MFA, within the last 90 minutes"

Figure 2. Example authentication context showing a multi-factor authentication with University of Chicago and a later authentication (without MFA information) with Argonne LCF.

Session Info Reference: https://docs.globus.org/api/auth/sessions/

Third-Party Attribute Assertions (Preview)

Globus currently has a feature in its preview environment that allows assertions from other systems to be embedded in Globus tokens. An application or API may be configured to require an attribute from a specific service, either via a scope request or client registration. When a login flow is performed, Globus will complete the authentication and then guide the person to the other service’s login interface. Globus will embed the resulting assertions or tokens into the identity data returned to the application or API.

Examples:

NIH Researcher Auth Service (RAS)
ALCF Inference Service test API (see Figure 2)

Figure 3. After logging in using Globus and the Argonne Identity Provider, Globus obtains additional attributes from the ALCF OIDC Server and embeds them in the end user’s token so they may be used for policy enforcement by the ALCF Facility API.

Token Operations

Understanding how to work with tokens effectively is essential for building robust applications. Tokens are the currency of OAuth-based systems—they represent authorization and carry identity information. But they’re not all the same, and knowing which token to use when, and how to manage their lifecycles, is crucial for both security and user experience.

Token Types

OAuth and OIDC define several token types, each serving a different purpose:

Access Tokens - These are the workhorses of the OAuth system. An access token is a credential that proves a user (or application) has been authorized to access specific resources. They’re typically short-lived—often expiring after an hour or less—which limits the damage if one is compromised. Access tokens should be treated like cash: whoever possesses one can use it, so protect them carefully. Unlike some OAuth implementations that use opaque tokens (random strings with no inherent meaning), Globus Auth uses JWTs for access tokens, which means they contain information that can be inspected by APIs without needing to call back to Globus Auth for every validation.

Refresh Tokens - Scientific workflows often run for extended periods—hours, days, or even weeks. Access tokens expire relatively quickly for security reasons, but requiring users to re-authenticate every hour would be disruptive. Refresh tokens solve this problem. A refresh token is a long-lived credential that can be used to obtain new access tokens without requiring user interaction. Think of an access token as a day pass to a facility, while a refresh token is a membership that lets you get new day passes whenever you need them. Refresh tokens are more powerful than access tokens, so they require more protection. They should be stored securely and never exposed in browser-based applications.

ID Tokens - This is where OpenID Connect extends OAuth 2.0. While access tokens prove authorization, ID tokens prove identity. An ID token is a signed assertion from Globus Auth about who the user is, when they authenticated, and how they authenticated. Applications use ID tokens to establish user sessions, not to access APIs. The distinction matters: you wouldn’t present an ID token to an API (it wouldn’t accept it), and you wouldn’t use an access token to determine a user’s identity (it’s not designed for that purpose, even though it contains identity information).

Token Lifecycle

Tokens have a natural lifecycle that your application needs to manage:

Obtaining tokens - This happens through the various grant flows we’ve discussed: authorization code for user authentication, client credentials for application authentication, refresh token for renewing expired tokens, and dependent token grant for API-to-API calls. Each grant flow returns a specific set of tokens appropriate for the use case.

Using tokens - Access tokens are included in API requests, typically in the Authorization header as "Bearer". The word "Bearer" signifies that whoever possesses the token is authorized to use it—there’s no additional proof of identity required. This is why tokens must be kept confidential.

Refreshing tokens - When an access token expires, you don’t need to interrupt the user and ask them to log in again. Instead, you use the refresh token to request a new access token. This is a simple API call to Globus Auth that exchanges the refresh token for a new access token (and usually a new refresh token as well, though some implementations reuse the refresh token). This process is transparent to the user—they continue working uninterrupted while your application handles the token refresh in the background.

Revoking tokens - When a user logs out, or when your application no longer needs access, tokens should be explicitly revoked. This is more than just deleting them from your local storage—you should call Globus Auth’s token revocation endpoint to invalidate them server-side. This ensures that even if an access token was somehow copied or leaked, it can’t be used after logout. Token revocation also provides a way to respond to security incidents: if you discover that tokens might have been compromised, you can revoke them immediately without waiting for them to naturally expire.

The lifecycle management becomes particularly important in long-running applications. A data transfer job might run for hours, periodically needing to refresh its access token to maintain access to source and destination storage. A compute job might run for days, requiring careful token management to ensure it can write results when it finally completes. Proper lifecycle management—obtaining tokens only when needed, refreshing them before they expire, and revoking them when done—is the mark of a well-designed application.

Token Reference: https://docs.globus.org/api/auth/reference/#tokens

Best Practices

Building secure, usable applications with Globus Auth requires more than just understanding the technical specifications. These best practices, drawn from real-world experience, help you avoid common pitfalls and build applications that are both secure and pleasant to use.

Cache token introspection results and dependent tokens for 1-5 minutes to reduce overhead - Every token introspection and dependent token request involves network communication with Globus Auth, which adds latency to your API calls. If your API makes multiple API calls while processing a single user request, fetching new dependent tokens for each call creates unnecessary overhead. By caching tokens for a short period (typically 1-5 minutes), you amortize the cost of token acquisition across multiple requests. However, don’t cache too long: part of the security model is that tokens are scoped to specific request chains, and caching beyond a few minutes starts to undermine that security boundary. Find the balance that provides good performance while maintaining security.

Validate all token claims before processing requests - When an API receives a token, it’s tempting to trust it after checking just the expiration time. Don’t. Validate every claim that matters for your security model: Is the issuer correct? Is the audience your API? Are the required scopes present? Does it satisfy any authentication policies you depend on? Skipping validations creates security vulnerabilities. An attacker might present a token meant for a different API, or a token that was issued before you added new security requirements. Comprehensive validation ensures that every request meets your current security standards.

Use authentication policies to simplify security logic - It’s easy to write complex application code that checks whether users used MFA, authenticated recently enough, or came from approved institutions. But this code is error-prone, hard to test, and often inconsistent across applications. Instead, register your requirements as authentication policies with Globus Auth. The system enforces them automatically and consistently, and your application logic becomes simpler: if you receive a valid token, you know the policies were satisfied. This shifts security enforcement from application code (where it’s easy to get wrong) to the authentication service (which does nothing but enforce security policies).

Leverage identity linking for cross-system user recognition - Research collaboration inevitably involves users who are known by different identities in different contexts. Rather than forcing users to pick one identity and dealing with the inevitable access problems when they need to use resources associated with a different identity, embrace identity linking. When checking permissions, consider the user’s entire linked identity set, not just the specific identity they authenticated with. This creates a smoother user experience and reduces support burden from access problems.

Implement proper token storage for confidential clients - If your application has a client secret, protecting it is paramount. Never embed secrets in browser-based applications or mobile apps that are distributed to users—anyone can inspect the code and extract them. For backend applications, store secrets in configuration files with restricted file system permissions, environment variables, or better yet, in a secure secrets management system. Rotate secrets periodically and have a plan for responding if one is compromised. The security of your entire application rests on keeping that secret confidential.

Use refresh tokens for long-running operations - Scientific workflows don’t always complete quickly. A data transfer might take hours, a compute job might run overnight, or a complex analysis pipeline might execute across several days. Design your applications to use refresh tokens from the start, even if your initial use cases seem short-lived. When access tokens expire, refresh them automatically rather than failing the operation. This requires careful programming—you need to detect token expiration, request a new token, retry the failed operation, and handle any errors in this process gracefully. But the alternative is worse: operations that mysteriously fail hours into execution because nobody thought about token lifetime.

Register authentication requirements rather than implementing custom checks - Every time you write code to check something about authentication (Did they use MFA? Which institution did they come from? How recently did they log in?), you’re creating maintenance burden and potential security holes. Globus Auth’s authentication policies and session context provide the information you need without requiring you to implement the checks. Register what you require, trust that Globus Auth enforces it, and use session context when you need to implement custom logic. This declarative approach is more maintainable and more secure than imperative checking in application code.

Design for token expiration from day one - It’s tempting to build your initial prototype without handling token refresh, planning to "add that later." Don’t. Token expiration will happen in production, and if your application isn’t prepared for it, it will fail in ways that are hard to debug. Build token refresh into your error handling from the beginning. When an API call fails with an authentication error, check if your token has expired. If it has, try to refresh it and retry the operation. If you can’t refresh it (because the refresh token has expired or been revoked), handle that gracefully by prompting the user to re-authenticate. This pattern of "try, detect failure, refresh, retry" should be a fundamental part of your API client code.

Additional Resources

API Reference: https://docs.globus.org/api/auth/reference/
Developer Guide: https://docs.globus.org/api/auth/developer-guide/
SDK Documentation: https://docs.globus.org/api/auth/sdks/
Example Applications: https://docs.globus.org/api/auth/examples/

Support

For questions and support:

Documentation: https://docs.globus.org/
Support Portal: https://support.globus.org/
Community Forum: https://www.globus.org/mailing-lists