DataONE authentication no longer works in Chrome

[craig-willis]

Problem

Our strategy for authenticating with DataONE requires browser support for third party cookies. As of April, Chrome is no longer supporting third party cookies by default. This means that publishing to DataONE will not work until this problem is resolved, which will likely require changes to the auth process on the DataONE side, or if the user changes the browser setting.

Steps to Reproduce

• Using Chrome 90, confirm settings -> privacy and security -> Cookies and other site data -> Block third-party cookies is selected
• Login to Dashboard
• Go to Settings
• Attempt to connect to DataONE
• With https://github.com/whole-tale/girder_wholetale/pull/475 you should get an error indicating that the D1 token is empty. Without that PR, GET /user/me will have an empty access_token
• In Chrome, confirm settings -> privacy and security -> Cookies and other site data -> Allow All Cookies
• Try again. This time you should get the token.

Expected Results

Connect to D1 should get a valid token for the user using default browser settings

Actual Results

Connect to D1 fails

Workaround To publish to DataONE, user must enable third-party cookies

[Xarthisius]

What we can do instead is treat DataONE's JWT as an API key similarly to what we do for Zenodo / Dataverse. We would need to tell user to manually go to https://cn.dataone.org/portal/token and copy and paste what they see there (which is JWT).

[craig-willis]

That sounds like the best option to me. This way the UI treats all repositories the same, it's just a little more complicated for the user to retrieve the DataONE "key".

[mbjones]

We were aware this was going to happen soon in browsers, and we plan to make changes to no longer require or use a 3rd party cookie, in favor of using JWT with oauth refresh tokens. That will take some work though, and so I think your plan sounds good for the time being.