Dear Philip and Dataverse Community,
Our current Test Dataverse Environment for Researchers Only
Questions relating to SSO: SAML version 2.0 / OIDC
Please note: We have determined that we will use OIDC for our SSO. We also anticipate our production environment to be very similar to our test environment.
Given the above details for our Dataverse Test Environment, we are trying to determine if our researchers will be able to utilize API's with the use of the API tokens should we implement SSO (OIDC)
Thank you in advance,
Regards,
Richard Dennis
Special Advisor - Data Steward
Copenhagen University Library
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/72a11575-9c0f-4414-af41-84676c966270n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/AM0P189MB05968F75958F78B2BD50657EF3FE9%40AM0P189MB0596.EURP189.PROD.OUTLOOK.COM.
I think an underlying point that is key in this discussion is that Dataverse’s API does not require/allow login via password and doesn’t support the notion of a session. Instead, users can generate a relatively long-lived API key that can be used to make API calls. That means that when an SSO account is deactivated and no action is taken in Dataverse to deactivate the user, their API key (if it was created at all) would still be valid until it times out.
In addition to allowing users to use the API directly, e.g. through pyDataverse/in notebooks, etc. where the user would have seen their API key, Dataverse also uses the API key to enable external tools (explore, config, and preview tools) interact with Dataverse to get files, metadata, etc. and, with config tools, to send updates back (e.g. to change the variable level metadata for a tabular file). This latter case probably motivated the API key route – the external tools do not get the users password and can automatically connect with Dataverse (and users/admins can change/deactivate the key to stop access by the tool without changing their password). It also means that, since users don’t deal directly with an API key to use external tools, it is really only those who directly use the API who are aware they have an API key.
For the external tools use case, there is work underway to replace direct use of the API key with shorter-lived signed URLs. Although external tools are ‘trusted’ in some sense, this both limits how long they could have access after being triggered (e.g. the last time a user logged in and clicked to view a preview/use an explore tool) and reduces the need to have an exposed API key. That could make it easier to think of ways to change how direct API use is handled.
-- Jim
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/85028bf3-6698-4fe3-b9d6-cd8e18e415dbn%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/MN2PR07MB7343BCBB3AFFDE7983974DCBBFC09%40MN2PR07MB7343.namprd07.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/0e2ee89f-ad1f-41dc-8a51-4189b2c7d193n%40googlegroups.com.