Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor ORCID OAuth2 and OAuth2TokenData #6329

Closed
poikilotherm opened this issue Oct 31, 2019 · 2 comments
Closed

Refactor ORCID OAuth2 and OAuth2TokenData #6329

poikilotherm opened this issue Oct 31, 2019 · 2 comments

Comments

@poikilotherm
Copy link
Contributor

poikilotherm commented Oct 31, 2019

This is related to #5974, #5689 and a successor to #5279.
This is kind of security related, but just as a precaution.


OAuth2TokenData

While hacking on #5974 and OIDC stuff, I came across OAuth2TokenData. Everyone that logs in via some OAuth2 provider (no matter which provider) has its token stored in the database.

This data is stored, but never read. Nowhere. It had been introduced due to ORCID support:

* Persisting token data is a requirement for ORCID according to
* https://members.orcid.org/api/news/xsd-20-update which says "Store full
* responses from token exchange: access tokens, refresh tokens, scope, scope
* expiry to indicate an iD has been authenticated and with what scope" but we
* don't know how long responses need to be stored. There is no such requirement
* to store responses for any other OAuth provider.

That link is dead, find an updated checklist here.

Storing this information might lead to a data breach, as a hacker that gains access to these tokens can use it to read information from the provider (in the limits of the scope and readonly of course). However, this should be avoided: it's not used, eats DB storage and might pose a risk.

This leads to the next section:

ORCID API usage

Currently, when you want to authenticate to Dataverse using ORCID provider, you have some things you need to attack:

  1. Become an ORCID member (paying $$$). Non-members cannot get access to the members API. Dataverse is using the Members API exclusively.
  2. Once being a member, move through a manual process of sandbox environments, showcases etc etc. Very tedious. Very long. Exhausting. Been through it twice now. No fun.

I really wonder why Dataverse should do this in the first place. Currently we are not using any kind of Members only stuff in Dataverse (see API comparison for details on what you can do with it), we are just using it for auth and reading public data.

Email addresses are private by default in ORCID and you cannot access them either via Public API or Member API.

The Public API on the other hand:

  • Sufficient for auth and reading public things.
  • No need to become an ORCID member
  • Automated process to register your client app
  • No obligations for us to store tokens, be compliant with the UI stuff or anything else from the checklist linked above.

(I should note: public API credentials are tied to an individual, not an org. Non-moveable. Meh.)

(tl;dr)
So my question is: shouldn't we refactor, remove OAuth2TokenData and switch to Public API`?
(At the same time one could check for #5689, the ORCID API 3.0 compatibility.)


Mentions:

  • @TaniaSchlatter because this is UI related
  • @scolapasta because IIRC he's one of the sec guys
  • @pameyer because he was engaged in some of the other issues
  • @michbarsinai because he wrote much of that code back in 2017
  • @pdurbin because I call him the Chief Community Officer and he also did much coding on this stuff
@michbarsinai
Copy link
Member

michbarsinai commented Oct 31, 2019 via email

@cmbz
Copy link

cmbz commented Aug 20, 2024

To focus on the most important features and bugs, we are closing issues created before 2020 (version 5.0) that are not new feature requests with the label 'Type: Feature'.

If you created this issue and you feel the team should revisit this decision, please reopen the issue and leave a comment.

@cmbz cmbz closed this as completed Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants