Configuring the GA4GH Passport Clients

Stefan Negru, Teemu Kataja

ELIXIR AAI and Passport training 23 June 2021

​

​

European Life Sciences Infrastructure for Biological Information

www.elixir-europe.org

European Life Sciences Infrastructure for Biological Information

www.elixir-europe.org

Outlook

• Go over the training purpose
• Go over the training setup
• Oauth Device Authorization Flow
• Demo constructing a FUSE layer using Device Authorization Flow and loading data from remote resource
• Inspect GA4GH Passports in depth

​

​

​

​

​

​

Linking EGA - Elixir ID

• Link your IDs at: https://ega.ebi.ac.uk:8053/ega-openid-connect-server/ega-login (required step before workshop)
• Inspect Elixir AAI GA4GH Passports Visas https://echo.aai.elixir-czech.org

GA4G Passport - Example use case

• FUSE layer that can load data on demand depending on datasets a user has permissions to
• Data Repository - that can serve the files
• Client that connects to the data repository
• Client Registered with Elixir AAI

Oauth Device code flow / Device Authorization Flow

https://auth0.com/docs/flows/device-authorization-flow

https://auth0.com/docs/flows/authorization-code-flow

FUSE with Device Authorization Flow

Request/Response

{

"device_code": "Ag_EE...ko1p",

"user_code": "QTZL-MCBW",

"verification_uri": "elixir-aai/activate",

"verification_uri_complete": "elixir-aai/activate?user_code=QTZL-MCBW",

"expires_in": 900,

"interval": 5

}

​

curl --request POST \

--url 'elixir-aai/device/code' \

--header 'content-type: application/x-www-form-urlencoded' \

--data 'client_id=YOUR_CLIENT_ID' \

--data scope=SCOPE \

--data audience=AUDIENCE

https://login.elixir-czech.org/oidc/.well-known/openid-configuration

Questions and Answers - so far

Break - 10 min

Show and tell

Summary of the Commands

Start 2 ssh sessions:

- ssh -p <port> cineca-training@128.214.252.28

- ssh -p <port> cineca-training@128.214.252.28

​

1st ssh session:

​

fuse --help

fuse --repository https://test.sd.csc.fi/sda

^ this will list a token which can be inspected in the 2nd ssh session

​

2nd ssh session

ls -al /home/cineca-training/Datasets

^ one folder/directory should be present

ga4gh-inspect --help

ga4gh-inspect --decode <token>

ga4gh-inspect --visas <token>

ga4gh-inspect --visas-decoded <token>

​

less /usr/local/lib/python3.8/dist-packages/sda_fuse_client/auth/config/remote_qr.ini

GA4GH Passports from multiple sources

• Log in with Elixir ID https://data-access.sd.csc.fi
• Go to https://data-access.sd.csc.fi/catalogue
• Add to cart CINECA synthetic cohort dataset
• Apply for access
• Fill in form
• Accept terms of use
• Add a short description to the application section
• Send Application
• Inspect Elixir AAI GA4GH Passports Visas https://echo.aai.elixir-czech.org

​

Summary of the Commands

Start/reuse the 2 ssh sessions:

- ssh -p <port> cineca-training@128.214.252.28

- ssh -p <port> cineca-training@128.214.252.28

​

1st ssh session:

​

(Close the previous fuse if still open) - Ctrl + C or Cmd + C

fuse --repository https://test.sd.csc.fi/sda

^ this will list a token which can be inspected in the 2nd ssh session

​

2nd ssh session

ls -al /home/cineca-training/Datasets

^ two folders/directories should be present

​

Where to go next

• VMs will be available till 7th of July
• Source code available under /home/cineca-training/training and licensed under Apache license

​

• Questions and Answers right now

Additional links

https://gist.github.com/teemukataja/b4f3e5fc3686c1c9fdedf0aa9ab5a0d8

​

https://github.com/CSCfi/beacon-python/blob/master/beacon_api/permissions/ga4gh.py

​

https://jwt.io/

​

​