The app can only be used for users registered in Pandora and with a valid ORCID

[arunge]

The app can only be used for users registered in Pandora and with a valid ORCID (to check for this, the rorcid package can be used).

• check:
  • https://info.orcid.org/documentation/api-tutorials/
  • https://info.orcid.org/documentation/integration-and-api-faq/
  • https://docs.ckan.org/en/2.9/api/#authentication-and-api-tokens
  • https://www.shinyproxy.io/faq/
  • https://www.shinyproxy.io/documentation/spel/#access-expression

option "keycloak":

• https://github.com/eosc-kc/keycloak-orcid

[arunge]

@isomemo We must discuss the details, needs and goals for a specific login in order to understand:

• what kind of authentication is needed for the different apps (e.g. TraceR, blog like app) and
• what kind of integration (via shinyproxy or as part of the shiny app itself) would be best for the goals that need to be achieved
• how should the workflow look like for users

After clarifying those details we can proceed here.

[arunge]

As just discussed, I will propose dates for a meeting together with Amit.

[arunge]

@isomemo After some research on authentication standards, we do have following options:

Shiny proxy Single-Sign On (in-house)

• smallest effort of implementation
• allows only for one(!) login, that is only ORCID or(!) Pandora would be possible
• support of following standards:
  • LDAP
  • Single-Sign On / Keycloak
  • OpenID Connect (OIDC)
  • SAML 2.0
  • Social Authentication
  • Web Service Based Authentication
  • Simple Authentication

    Authentication via Keycloak (open source)

• requires to maintain another service on our servers
• can handle different logins for the standards mentioned above
• provides: strong authentication, user management, fine-grained authorisation

  Self-developed Authentication (high effort, NOT recommended)

• high effort of implementation and maintenance: need to develop and implement all functionality, e.g. checks if users are already logged in, if there is another login from outside, ...
• integration of the authentication method directly into the shiny app
• very flexible

Planned User logins

ORCID login

• Keycloak plugin available: https://github.com/eosc-kc/keycloak-orcid
• support for OpenID Connect standard: https://info.orcid.org/orcid-openid-connect-and-implicit-authentication/

  Pandora login

• ~no support of common standards (see above) (https://docs.ckan.org/en/2.9/api/index.html?highlight=authentication#authentication-and-api-tokens)~
• update: there is a ckan SAML2 extension: https://ckan.org/blog/using-saml2-authentication-ckan

~The issue is, that Pandora supports no common standard. Its integration would require a self-developed custom solution. The effort is very high.~ Additionally, the integration of the Pandora login was only planned as a fall-back if ORCID login failed. The effort would outweigh its purpose.

We would strongly recommend to rely on the ORCID login that offers strong standards and good support. @isomemo Please let us discuss, how to continue here.

[arunge]

Regarding:

• update: there is a ckan SAML2 extension: https://ckan.org/blog/using-saml2-authentication-ckan

@jan-abel-inwt Please, let us check the extension and discuss the options and what is exactly required next week.

[arunge]

@jan-abel-inwt Please check packages sodium and openssl as discussed and let me know about updates.

[arunge]

@isomemo Today we discussed:

• focusing on a single login (ORCID) should be the goal:
  • much less complex integration with shinyproxy saving a lot of time
  • using two accounts would require to store a mapping between to accounts of the same person in some database
  • we could embed a button that opens the Pandora website directly into our import module
  • the user would be able to check where the list of files from Pandora import is coming from
  • we could add a note that users may add/share there own data via Pandora after signing in
• the idea of using a signature for files that should be exported/imported
  • I prepared/tested an example how signing of files is working
  • idea:
  • sign a file before the export
  • verify the file after import
  • by this ensure that the parts of a network that were accredited to a specific valid userID cannot be changed outside the app
  • that is, only users with valid userIDs would be allowed to update/modify/delete/add network nodes/edges
  • an update/modification/deletion/addition of network nodes/edges would be accredited to the userID that is currently logged in
  • the user himself can only modify the displayed name that will be mapped to his unique valid userID
  • network parts will be accredited directly to the unique valid userID

However, there was uncertainty if the suggested approach would cover all goals that you would like to achieve. Please feel free to specify your demands more precisely in order to discuss our final approach.

[isomemo]

@arunge I sent a file on this!

[arunge]

• [ ] We discussed the issue and are first continuing here: https://github.com/Pandora-IsoMemo/TraceR/issues/14

• [ ] Afterwards we must finally decide for the login to be used.