search

SciCatProject / scicat-backend-next

SciCat Data Catalogue Backend
https://scicatproject.github.io/documentation/
BSD 3-Clause "New" or "Revised" License
20 stars 24 forks source link

OIDC authentication with ORCID #737

Open dylanmcreynolds opened 1 year ago

dylanmcreynolds commented 1 year ago

ORCID is a very popular OIDC authentication service in the scientific community. We use ORCID to allow our users to authenticate to SciCat. This worked with the old version of the backend, but does not work out of the box with the new SciCat backend.

When configured to use ORCID, authenticating the user results in the following error:

[Nest] 1  - 09/10/2023, 7:33:42 PM     LOG [UsersService] Creating user  ( Strategy : oidc )
[Nest] 1  - 09/10/2023, 7:33:42 PM   ERROR [ExceptionsHandler] User validation failed: username: Path `username` is required., email: Path `email` is required.
ValidationError: User validation failed: username: Path `username` is required., email: Path `email` is required.
    at Document.invalidate (/home/node/app/node_modules/mongoose/lib/document.js:3162:32)
    at /home/node/app/node_modules/mongoose/lib/document.js:2955:17
    at /home/node/app/node_modules/mongoose/lib/schematype.js:1368:9
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11)

The issue here is that ORCID does not provide a couple of fields that are now required. ORCID does not provide an email address. It also does not provide either of the fields that the OIDCStrategy looks for here

Additionally, the schemas for User and CreateUserDTO require email. https://github.com/SciCatProject/scicat-backend-next/blob/0f827b08007faf87e8f8ec68a101760e5d998356/src/users/schemas/user.schema.ts#L32

Again, this is a regression as ORCID authentication worked fine in the old version of the backend. How to deal with this?

I can think about creating a special ORCIDStrategy puts the user's ORCID into the username field. But ORCID will never provide an email. I would like to make this field not required.

bpedersen2 commented 1 year ago

How do you do access group mapping with only orcid? If you do a lookup on other systems to get the groups, maybe this system also has email info available?

But I am fine with making email non-mandatory.

bpedersen2 commented 1 year ago

Or you could proably leverage the ORCID API [1] (LBNL is a orcid member) to retrieve the email.

[1] https://github.com/ORCID/orcid-model/blob/master/src/main/resources/record_3.0/README.md

bpedersen2 commented 1 year ago

If you have a keycloak instance inbetween scicat and orcid, check https://github.com/eosc-kc/keycloak-orcid/

dylanmcreynolds commented 1 year ago

How do you do access group mapping with only orcid? If you do a lookup on other systems to get the groups, maybe this system also has email info available?

Yes, we do a lookup to our user office system to get groups.