DataverseNO currently uses Shibboleth with the user information not being editable in Dataverse. We are migrating our installation to the cloud, and are right now working on authentication issues. In our cloud deployment, we probably will use two authentication providers, ORCID and Feide, our national authentication provider. Both use OAuth. In our tests, we also realized that the user information coming from these providers is editable in Dataverse.
Before I read this discussion thread, I thought that user information from external authentication providers always should be non-editable, because otherwise it could cause trouble. So, I'm wondering how Dataverse manages user information from external authentication providers. Here are a couple of questions:
1. A researcher logs into Dataverse for the first time using an OAuth-based authentication provider.
a) I guess the user information is pulled from the authentication provider and stored in Dataverse?
b) Is there a minimal set of information that is needed from the authentication provider?
c) I guess the email address is a crucial part here since it's used as a primary user identifier in Dataverse?
2. Let's assume the researcher in (1) doesn't change the user information provided by the authentication provider in the initial login session. But in a later login session, the researcher changes the email address from A to B in Dataverse, but address A is still the email address stored in the user entry in the database of the external authentication provider.
a) What happens to the Dataverse user account? Will there be created a new account with the new email address B?
b) What happens when the user logs into Dataverse next time using the external authentication provider? How will Dataverse be able to recognize that the researcher with email address A wants to log in to an account that now has email address B as its primary identifier?
Philipp