Clients, Scopes, and Consents

Clients, Scopes, and Consents are an essential part of the Globus ecosystem and Globus Auth.

In brief, a Client is an application and a Consent is a record of a user granting a Client permissions to do something on their behalf.

A Scope is a critical part of a Consent. It defines what a Client is allowed to do.

Scopes

Scopes define actions or sets of actions.

Typical examples of scopes include urn:globus:auth:scope:groups.api.globus.org:view_my_groups_and_memberships and urn:globus:auth:scope:transfer.api.globus.org:all. The first grants an application the right to read a user’s Group information from Globus Groups, while the second grants the ability to make full use of the Globus Transfer service.

Scopes are defined by Globus, and describe various activities which a user can perform.

Tokens

Most of the credentials used within the Globus ecosystem are Tokens provided by Globus Auth.

Tokens are always issued with specific associated Scopes, sometimes referred to as the "scopes of the token".

Clients

Every application in the Globus ecosystem is a Client. The Globus CLI, the Globus Web Application, and custom applications created by users are all Clients.

Clients are registered with Globus Auth and are always identified by a unique ID, the client_id.

Every Client manages its own tokens and credentials, and has permissions granted to it by users via Consents.

Consents

A Consent is a record of a user granting a Client permissions.

Every time a user logs in to an application, they are presented with a Consent screen in the Globus Auth web application. This allows them to review the permissions requested by the Client and decide whether or not to grant them. When the user confirms, a set of Consents is created in Globus Auth to record the interaction.

The Consent screen also provides users with any Terms and Conditions or other informational links provided as part of the Client registration.

After the user has "consented", the client application will receive credentials (tokens) whose validity is tied to the interaction.

Users can revoke Consents at any time. When they do so, the tokens which were issued to the Client are immediately invalidated.

Consent revocation is a powerful tool for rescinding access to data or other resources. It is part of how Globus guarantees that users have control over the various applications and processes which they use within the ecosystem.

However, it should be noted that revoking consents is also destructive: a process which was started as part of a Client may or may not support being "resumed" with new tokens. Once Consents are revoked, asynchronous and long running processes may fail and need to be restarted.

Recap

  • A Client is an application like the CLI or Web Application.

    • Users can register their own Clients.

  • Scopes define actions which are permitted within Globus.

  • Tokens are credentials used by Clients to represent a user. They are always issued with some associated Scopes.

  • Consents are records of a user granting a Client permissions in the form of a set of Scopes.

    • Tokens will be issued to the Client, associated with the requested Scopes.