Non-Tuakiri Research Organisation Ability to login into ORCID HUB through ORCID Authentication. about nz-orcid-hub HOT 6 CLOSED

Completed Changes (Github: 9ee7790)

from nz-orcid-hub.

Good overview Roshan. This definitely works.

1), 2), and 3) look secure.

As alternative flows to consider, if we can trust the ability to access email:

i) Hub Admin uploads/populates table of member orgs and Tech Contacts

For each non-tuakiri org:
1) Hub Admin sends email to Tech Contacts containing

https://sandbox.orcid.org/oauth/signin?client_id=APP-TF7LKIE084PYTQ59&response_type=code&scope=/authenticate&show_login=true&redirect_uri=https://dev.orcidhub.org.nz/auth&state=

The scope can indeed be /authenticate

2) on the round trip if the lookup of state matches a User-Org combo expecting one, and then appends the ORCID iD + token params to the [OrcidToken] table

3) they're directed to the org admin page to initiate the API credential request process.
NB: and authenticate token can be used to /read-public on the profile for which is was granted so some info could in principle be checked/validated

4) on subsequent returns, we use the authenticate process to catch the ORCID iD of people logging into the Hub, and lookup [User].[orcid] to both work out who they are, and what Hub permissions they have.

Where thing might come acropper is multi-org individuals so we need to specify the User-Org in the state and have the flow respond accordingly.

Happy to discuss

from nz-orcid-hub.

Some discussion is needed to confirm the below flow for this activity:

1) A Hub admin will send an invitation to the research organisation who is a non-tuakiri member, the same way by generating a salt token and only for his email address.
2) The organisation admin comes to the landing page via link that he got in the mail.
3) Then clicks on the button (“Login via Orcid”) present on our landing page: at first we check the email address and token of the user and then if valid redirect the user to orcid page with client id of orcid hub new Zealand in API call.

The redirect API call will be (which is similar to what openvivo (http://openvivo.org) is doing currently):

https://sandbox.orcid.org/oauth/signin?client_id=APP-TF7LKIE084PYTQ59&response_type=code&scope=/authenticate&show_login=true&redirect_uri=https://dev.orcidhub.org.nz/auth

• the scope can be /authenticate.

4) Then after authenticating we will redirect the organisation admin to page where he can put his own organisation client id and secret or can obtain those, as done in the previous sprints.
5) Thus it will complete the onboarding and henceforth any research coming to non-tuakiri on boarded organisation can log in on hub.

from nz-orcid-hub.

Thanks for the change Roshan:, this story has relevance to more than just small Research Orgs, e.g., GNS Science is all of: a Consortium Member, not small, and not part of the Tuakiri Federation.

from nz-orcid-hub.

Updating the old story ( "As a smaller Research organisation, I want to login into ORCID hub through Tuakiri VHO service, So that a simple and reliable identity-management solution can be used in case we don’t have an identity-management capability or cannot, run a standalone Identity Provider (IdP)." ) to the new one, As the old story has already been completed in sprint 1.

from nz-orcid-hub.

Alternative story:

As a smaller Research organisation, I want to login into ORCID hub through ORCID authentication, So that a simple and reliable identity-management solution can be used in case we don’t have an identity-management capability or cannot, run a standalone Identity Provider (IdP), and are unable to meet costs of Tuakiri VHO membership.

from nz-orcid-hub.