Security in logins with ORCID and Google
21 views
Skip to first unread message
Pedro Luis
Mar 2, 2026, 6:35:02 PM (2 days ago) Mar 2
to Dataverse Users Community
Dear Sir/Madam,
I have a question about security in Dataverse. When I allow users to authenticate via ORCID or Google, how is this user data stored in the database? Is it encrypted? If someone accesses the database, is it possible to see the users' information? What is the security level and where can I find this documentation?
Thank you very much in advance.
I have a question about security in Dataverse. When I allow users to authenticate via ORCID or Google, how is this user data stored in the database? Is it encrypted? If someone accesses the database, is it possible to see the users' information? What is the security level and where can I find this documentation?
Thank you very much in advance.
Philip Durbin
Mar 3, 2026, 12:33:29 PM (13 hours ago) Mar 3
to dataverse...@googlegroups.com
Hi Pedro Luis,
The ORCID for the user is stored in the persistentuserid column of the authenticateduserlookup table: https://guides.dataverse.org/en/6.9/schemaspy/tables/authenticateduserlookup.html
Likewise, a similar unique id is stored for a Google user.
The firstname, lastname, and email columns store those values (and, affiliation and position, if they've been filled in) in the authenticateduser table: https://guides.dataverse.org/en/6.9/schemaspy/tables/authenticateduser.html
None of these values are encrypted. Superusers can get the data out in JSON format using this API: https://guides.dataverse.org/en/6.9/api/native-api.html#list-users
I hope this helps!
Phil
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dataverse-community/877bdbcb-6697-42a2-8251-25f3e93d2346n%40googlegroups.com.
Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Julian Gautier
Mar 3, 2026, 1:03:01 PM (13 hours ago) Mar 3
to Dataverse Users Community
Just to clarify, people who can use that list-users API need more than to be a superuser, right?
When I use my superuser API key on Dataverse installations that I'm a superuser on, the API returns a 403 Forbidden message, and I've always thought that this is because these "admin" API endpoints require more protections, so installation managers usually block them or require that people who want to use them need to jump through extra hurdles.
Philip Durbin
Mar 3, 2026, 5:39:40 PM (8 hours ago) Mar 3
to dataverse...@googlegroups.com
Right, it's under the "admin" API, which is blocked: https://guides.dataverse.org/en/6.9/installation/config.html#blocking-api-endpoints
On Tue, Mar 3, 2026 at 1:03 PM Julian Gautier <julian...@g.harvard.edu> wrote:
Just to clarify, people who can use that list-users API need more than to be a superuser, right?When I use my superuser API key on Dataverse installations that I'm a superuser on, the API returns a 403 Forbidden message, and I've always thought that this is because these "admin" API endpoints require more protections, so installation managers usually block them or require that people who want to use them need to jump through extra hurdles.
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dataverse-community/258218fe-2825-4926-a2ae-55c88536cacan%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages