From c10b516d4b77f8169e35f1d27d8f95b7e8935b35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felker=20Tam=C3=A1s?= Date: Tue, 23 Jun 2020 13:34:14 +0200 Subject: [PATCH 1/7] Public ORCID login is available. --- .../authorization/providers/oauth2/impl/OrcidOAuth2AP.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java index be22e9bc332..24d13eedc29 100644 --- a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java +++ b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java @@ -55,7 +55,8 @@ public class OrcidOAuth2AP extends AbstractOAuth2AuthenticationProvider { public static final String PROVIDER_ID_SANDBOX = "orcid-sandbox"; public OrcidOAuth2AP(String clientId, String clientSecret, String userEndpoint) { - scope = Arrays.asList("/read-limited"); + String s = userEndpoint.startsWith("https://pub") ? "/authenticate" : "/read-limited"; + scope = Arrays.asList(s); this.clientId = clientId; this.clientSecret = clientSecret; this.baseUserEndpoint = userEndpoint; From 55c2c8918c384404c1dec008d6c60d03e71897de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felker=20Tam=C3=A1s?= Date: Mon, 29 Jun 2020 10:33:08 +0200 Subject: [PATCH 2/7] Fix for NPE in test. --- .../authorization/providers/oauth2/impl/OrcidOAuth2AP.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java index 24d13eedc29..99534a84bd2 100644 --- a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java +++ b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java @@ -55,7 +55,11 @@ public class OrcidOAuth2AP extends AbstractOAuth2AuthenticationProvider { public static final String PROVIDER_ID_SANDBOX = "orcid-sandbox"; public OrcidOAuth2AP(String clientId, String clientSecret, String userEndpoint) { - String s = userEndpoint.startsWith("https://pub") ? "/authenticate" : "/read-limited"; + + String s = null; + if(userEndpoint != null){ + s = userEndpoint.startsWith("https://pub") ? "/authenticate" : "/read-limited"; + } scope = Arrays.asList(s); this.clientId = clientId; this.clientSecret = clientSecret; From 8da201b42a5e61e15a8835b2b5d82c6f06c27fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felker=20Tam=C3=A1s?= Date: Mon, 29 Jun 2020 11:10:21 +0200 Subject: [PATCH 3/7] Oauth documentation is extended with ORCID public API option. --- .../root/auth-providers/{orcid.json => orcid-member.json} | 0 .../files/root/auth-providers/orcid-public.json | 8 ++++++++ doc/sphinx-guides/source/installation/oauth2.rst | 5 +++-- 3 files changed, 11 insertions(+), 2 deletions(-) rename doc/sphinx-guides/source/_static/installation/files/root/auth-providers/{orcid.json => orcid-member.json} (100%) create mode 100644 doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid-public.json diff --git a/doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid.json b/doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid-member.json similarity index 100% rename from doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid.json rename to doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid-member.json diff --git a/doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid-public.json b/doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid-public.json new file mode 100644 index 00000000000..8a0c7bbe6c5 --- /dev/null +++ b/doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid-public.json @@ -0,0 +1,8 @@ +{ + "id":"orcid-public", + "factoryAlias":"oauth2", + "title":"ORCID", + "subtitle":"", + "factoryData":"type: orcid | userEndpoint: https://pub.orcid.org/v2.1/{ORCID}/person | clientId: FIXME | clientSecret: FIXME", + "enabled":true +} diff --git a/doc/sphinx-guides/source/installation/oauth2.rst b/doc/sphinx-guides/source/installation/oauth2.rst index 4484ca72168..4c8e7041c75 100644 --- a/doc/sphinx-guides/source/installation/oauth2.rst +++ b/doc/sphinx-guides/source/installation/oauth2.rst @@ -26,7 +26,7 @@ Identity Provider Side Obtain Client ID and Client Secret ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Before OAuth providers will release information about their users (first name, last name, etc.) to your Dataverse installation, you must request a "Client ID" and "Client Secret" from them. In the case of GitHub and Google, this is as simple as clicking a few buttons and there is no cost associated with using their authentication service. ORCID and Microsoft, on the other hand, do not have an automated system for requesting these credentials, and it is not free to use these authentication services. +Before OAuth providers will release information about their users (first name, last name, etc.) to your Dataverse installation, you must request a "Client ID" and "Client Secret" from them. In the case of GitHub and Google, this is as simple as clicking a few buttons and there is no cost associated with using their authentication service. ORCID has a free public API that can also be used for authentication and accessing public data. ORCID member API and Microsoft, on the other hand, do not have an automated system for requesting these credentials, and it is not free to use them. URLs to help you request a Client ID and Client Secret from the providers supported by Dataverse are provided below. For all of these providers, it's a good idea to request the Client ID and Client secret using a generic account, perhaps the one that's associated with the ``:SystemEmail`` you've configured for Dataverse, rather than your own personal Microsoft Azure AD, ORCID, GitHub, or Google account: @@ -51,7 +51,8 @@ As explained under "Auth Modes" in the :doc:`config` section, available authenti We will ``POST`` a JSON file containing the Client ID and Client Secret to this ``authenticationProviders`` API endpoint to add another authentication provider. As a starting point, you'll want to download the JSON template file matching the provider you're setting up: -- :download:`orcid.json <../_static/installation/files/root/auth-providers/orcid.json>` +- :download:`orcid-public.json <../_static/installation/files/root/auth-providers/orcid-public.json>` +- :download:`orcid-member.json <../_static/installation/files/root/auth-providers/orcid-member.json>` - :download:`github.json <../_static/installation/files/root/auth-providers/github.json>` - :download:`google.json <../_static/installation/files/root/auth-providers/google.json>` - :download:`microsoft.json <../_static/installation/files/root/auth-providers/microsoft.json>` From 9d7c843e4c9b667d0c51a19796af319b9e37d4ac Mon Sep 17 00:00:00 2001 From: Philip Durbin Date: Mon, 29 Jun 2020 11:10:43 -0400 Subject: [PATCH 4/7] remove cost, link to ORCID APIs public, member #7025 --- doc/sphinx-guides/source/installation/oauth2.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/sphinx-guides/source/installation/oauth2.rst b/doc/sphinx-guides/source/installation/oauth2.rst index 4c8e7041c75..e185623d3c6 100644 --- a/doc/sphinx-guides/source/installation/oauth2.rst +++ b/doc/sphinx-guides/source/installation/oauth2.rst @@ -26,11 +26,11 @@ Identity Provider Side Obtain Client ID and Client Secret ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Before OAuth providers will release information about their users (first name, last name, etc.) to your Dataverse installation, you must request a "Client ID" and "Client Secret" from them. In the case of GitHub and Google, this is as simple as clicking a few buttons and there is no cost associated with using their authentication service. ORCID has a free public API that can also be used for authentication and accessing public data. ORCID member API and Microsoft, on the other hand, do not have an automated system for requesting these credentials, and it is not free to use them. +Before OAuth providers will release information about their users (first name, last name, etc.) to your Dataverse installation, you must request a "Client ID" and "Client Secret" from them. In many cases you can use providers' automated system to request these credentials, but if not, contact the provider for assistance. URLs to help you request a Client ID and Client Secret from the providers supported by Dataverse are provided below. For all of these providers, it's a good idea to request the Client ID and Client secret using a generic account, perhaps the one that's associated with the ``:SystemEmail`` you've configured for Dataverse, rather than your own personal Microsoft Azure AD, ORCID, GitHub, or Google account: -- ORCID: https://orcid.org/content/register-client-application-production-trusted-party +- ORCID: https://orcid.org/content/register-client-application-0 - Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code - GitHub: https://github.com/settings/applications/new via https://developer.github.com/v3/oauth/ - Google: https://console.developers.google.com/projectselector/apis/credentials via https://developers.google.com/identity/protocols/OAuth2WebServer (pick "OAuth client ID") From 5a98e64d54b6afce65085ee27fe3de8e4446246f Mon Sep 17 00:00:00 2001 From: Oliver Bertuch Date: Wed, 8 Jul 2020 11:10:28 +0200 Subject: [PATCH 5/7] Refactor userEndpoint checks for Public ORCID scope. #7025 --- .../providers/oauth2/impl/OrcidOAuth2AP.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java index 99534a84bd2..02177ee0032 100644 --- a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java +++ b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java @@ -55,12 +55,13 @@ public class OrcidOAuth2AP extends AbstractOAuth2AuthenticationProvider { public static final String PROVIDER_ID_SANDBOX = "orcid-sandbox"; public OrcidOAuth2AP(String clientId, String clientSecret, String userEndpoint) { - - String s = null; - if(userEndpoint != null){ - s = userEndpoint.startsWith("https://pub") ? "/authenticate" : "/read-limited"; + + if(userEndpoint != null && userEndpoint.startsWith("https://pub")) { + this.scope = Arrays.asList("/authenticate"); + } else { + this.scope = Arrays.asList("/read-limited"); } - scope = Arrays.asList(s); + this.clientId = clientId; this.clientSecret = clientSecret; this.baseUserEndpoint = userEndpoint; From 9475838583c127584ca81a49643a4a3d16910bf8 Mon Sep 17 00:00:00 2001 From: Oliver Bertuch Date: Wed, 8 Jul 2020 11:21:39 +0200 Subject: [PATCH 6/7] Convert ORCID OAuth2 provider test from JUnit4 to JUnit5. #7025 --- .../providers/oauth2/impl/OrcidOAuth2APTest.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/test/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java b/src/test/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java index 0009820ee41..33c54111d5c 100644 --- a/src/test/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java +++ b/src/test/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java @@ -4,9 +4,9 @@ import edu.harvard.iq.dataverse.authorization.providers.oauth2.AbstractOAuth2AuthenticationProvider; import edu.harvard.iq.dataverse.authorization.providers.oauth2.OAuth2Exception; import java.util.Arrays; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import org.junit.Test; + +import org.junit.jupiter.api.Test; +import static org.junit.jupiter.api.Assertions.*; /** * @@ -82,14 +82,14 @@ public void testExtractOrcid() throws OAuth2Exception { assertEquals("0000-0001-2345-6789", sut.extractOrcidNumber(response)); } - @Test( expected=OAuth2Exception.class ) + @Test public void testExtractOrcidBad() throws OAuth2Exception { // sample response from https://members.orcid.org/api/tutorial/read-orcid-records String response = "{\"access_token\":\"f5af9f51-07e6-4332-8f1a-c0c11c1e3728\",\"token_type\":\"bearer\",\n" + "\"refresh_token\":\"f725f747-3a65-49f6-a231-3e8944ce464d\",\"expires_in\":631138518,\n" + "\"scope\":\"/read-limited\",\"name\":\"Sofia Garcia\"}"; OrcidOAuth2AP sut = new OrcidOAuth2AP("clientId", "clientSecret", "userEndpoint"); - sut.extractOrcidNumber(response); + assertThrows(OAuth2Exception.class, () -> sut.extractOrcidNumber(response)); } @Test From d588210a497503ed0a715be04bef677bcb960f47 Mon Sep 17 00:00:00 2001 From: Oliver Bertuch Date: Wed, 8 Jul 2020 11:28:23 +0200 Subject: [PATCH 7/7] Add test case for public ORCID API endpoint to result in scope /authenticate. #7025 --- .../providers/oauth2/impl/OrcidOAuth2APTest.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/test/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java b/src/test/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java index 33c54111d5c..71bfc307f1c 100644 --- a/src/test/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java +++ b/src/test/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java @@ -6,6 +6,10 @@ import java.util.Arrays; import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; +import org.junit.jupiter.params.provider.ValueSource; + import static org.junit.jupiter.api.Assertions.*; /** @@ -41,6 +45,15 @@ private static String loadResponseXML(String fname) { } return txt; } + + @ParameterizedTest + @CsvSource({"https://pub.orcid.org/v2.1/{ORCID}/person,/authenticate", "https://api.orcid.org/v2.0/{ORCID}/person,/read-limited"}) + public void testPublicApiScope(String endpoint, String scope) { + // when + OrcidOAuth2AP provider = new OrcidOAuth2AP("clientId", "clientSecret", endpoint); + // then + assertEquals(scope, provider.getSpacedScope()); + } @Test public void testParseUserResponse() {