Centralized Fence

The Fence service controls access to the metadata, submission, indexing, and data itself. Fence is an authentication (AuthN) and authorization (AuthZ) service which utilizes OpenID Connect flow (an extension of OAuth2) to generate tokens for clients. It can also provide tokens directly to a user. Clients and users may then use those tokens (JWT) with other Gen3 Data Commons services to access protected endpoints that require specific permissions. Fence can be configured to support different Identity Providers (IDPs) for AuthN. At the moment, supported IDPs include Google, and Shibboleth supporting providers such as NIH iTrust.

Currently fence works with another Gen3 service named Arborist to implement attribute-based access control for commons users. The YAML file of access control information contains a section `authz` with data sent to Arborist in order to set up the access control model.

Useful Links:

Latest releases of Fence and Arborist
Fence GitHub repository
Arborist GitHub repository
Fence documentation
Arborist documentation