Public ORCID login is available. #7025
Conversation
There was a problem hiding this comment.
@felker13 this is very exciting! Would you be able to make any necessary changes to the OAuth section of the Installation guide?
In particular, if it's no longer (or never was) true that ORCID requires institutions to pay to use their login service, we should change this line:
"ORCID and Microsoft, on the other hand, do not have an automated system for requesting these credentials, and it is not free to use these authentication services."
I'm highlighting it in blue below:
It's from this page: http://guides.dataverse.org/en/4.20/installation/oauth2.html
Here's the source: https://github.com/IQSS/dataverse/blob/develop/doc/sphinx-guides/source/installation/oauth2.rst
Would you be able to make this change?
The code seems fine. I assume one chooses between public and non-public using the userEndpoint part of factoryData.
|
When the user chooses ORCID authentication, he will be redirected to ORCID,
where he must log in with his ORCID credentials. If this is successful,
ORCID will return an access token. That token is saved into
oauth2tokendata table during the registration process and will be used
later to authenticate the user. The user data that dataverse can obtain
from ORCID depends on the api type, but it is independent from the
authentication.
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Mentes
a vírusoktól. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
qqmyers <notifications@github.com> ezt írta (időpont: 2020. jún. 26., P,
17:59):
… Unless I'm missing something (which could be - I haven't played with ORCID
in a while)- the public API allows you to read the user's public info, but
you can read the profile of anyone you have the ID for, versus only someone
that has successfully completed an Oauth2 login there. So the public
/read-limited is great for getting the name of a list of creators or
contacts you have ORCIDs for, but being able to retrieve the info doesn't
prove the user is authenticated - which would be a problem if this call is
involved in verifying the user is logged in. Is that the case? Or is there
code elsewhere that does that? Or am I misunderstanding what the public
ORCID API can do these days?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#7025 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGI3Z5FAMBG3YBTRCRT4NZTRYTAWXANCNFSM4OJKFSSQ>
.
|
|
@felker13 I made a pull request to change the docs at dsd-sztaki-hu#1 Please take a look. Thanks. |
remove cost, link to ORCID APIs public, member IQSS#7025
|
@pdurbin I agree with your suggestions, so I merged your changes. Thank you. |
|
Hi @felker13 - can you include a screenshot of this? I wasn't aware that this may have impact to the UI. If it's in the way I understand it above, I'm hesitant to provide multiple options for ORCID login, as it may confuse people. Also, are there other applications that have these multiple options implemented in the same way? If so, can you point us to some of these platforms? Thank you! |
|
@djbrooke there would not be multiple ORCID logins. What is being provided is more flexibility for the sysadmin who is configuring Dataverse. Basically, if you're institution is already a member of ORCID (like Harvard), you use the ORCID member API we've always supported. If your institution is not a member of ORCID, you use ORCID's public API. |
|
@pdurbin thanks, so the decision about which login option to use would be made at the installation level, not at the researcher level. Makes sense, perfect. @felker13 I am going to keep this assigned to you. Can you please update the top comment of the PR to match the pull request template format in other PRs (like in #7039)? It will help us test and get this merged. Thank you! |
There was a problem hiding this comment.
Overall this is a very good idea for a very simple approach, following "convention over configuration".
A unit test case at OrcidOAuth2APTest is missing for this and should be done before merging to enhance code coverage. Happy to help if wanted.
|
|
||
| URLs to help you request a Client ID and Client Secret from the providers supported by Dataverse are provided below. For all of these providers, it's a good idea to request the Client ID and Client secret using a generic account, perhaps the one that's associated with the ``:SystemEmail`` you've configured for Dataverse, rather than your own personal Microsoft Azure AD, ORCID, GitHub, or Google account: | ||
|
|
||
| - ORCID: https://orcid.org/content/register-client-application-production-trusted-party | ||
| - ORCID: https://orcid.org/content/register-client-application-0 |
There was a problem hiding this comment.
| - ORCID: https://orcid.org/content/register-client-application-0 | |
| - ORCID: https://orcid.org/content/register-client-application |
There was a problem hiding this comment.
Can you please update the top comment of the PR to match the pull request template format in other PRs
This done so I'm moving this to code review.
There was a problem hiding this comment.
Interesting. I got the longer link with the "-0" at the end from https://orcid.org/organizations/integrators but I do think the shorter link looks nicer (and goes to the same place) so it would be a good change. @felker13 I don't have access to accept this change.
| String s = null; | ||
| if(userEndpoint != null){ | ||
| s = userEndpoint.startsWith("https://pub") ? "/authenticate" : "/read-limited"; | ||
| } | ||
| scope = Arrays.asList(s); |
There was a problem hiding this comment.
One could argue that this can be done more compact with only one if and without an extra variable allocation.
E. g. like
if(userEndpoint != null && userEndpoint.startsWith("https://pub")) {
this.scope = Arrays.asList("/authenticate");
} else {
this.scope = Arrays.asList("/read-limited");
}Or you leave it to the code optimizer of the JVM... 😉
There was a problem hiding this comment.
I'm fine with letting the JVM optimize it. 😄
|
@felker13 can you please create an issue for this pull request to close? It can be short. Just a title and a one line description is fine. Thanks! |
@poikilotherm as we discussed at http://irclog.iq.harvard.edu/dataverse/2020-07-02#i_125994 you are welcome to write the extra unit tests either before or after this pull request is merged. Thanks for offering! |
|
@pdurbin @felker13 I just created dsd-sztaki-hu#2, merging latest develop and unit tests for this. |
|
@poikilotherm thanks. Is it possible to make the diff smaller? I assume to do so one would merge the latest from develop into dsd-sztaki-hu:orcid-public-api (this pull request). |
|
@pdurbin yeah, that should make the diff much smaller... |
7025 orcid public
What this PR does / why we need it: This change will make it possible to use orcid public api for orcid authentication. Using member api is still possible, the chosen method depends on the userEndpoint parameter provided in the uploaded json. This feature is also mentioned in #6329.
Which issue(s) this PR closes: none
Special notes for your reviewer: none
Suggestions on how to test this: Use the new orcid-public.json with your ORCID public api credentials to create a new login option. Using the new option you should be able to log in to Dataverse using your ORCID credentials.
Does this PR introduce a user interface change? If mockups are available, please link/include them here: no
Is there a release notes update needed for this change?: This should be included in the release notes as a new feature.
Additional documentation: none