New requirements to verify email addresses interact with sandbox's mailinator restriction
120 views
Skip to first unread message
Jason
Apr 28, 2019, 9:25:21 PM4/28/19
to ORCID API Users
Hi ORCID
Sometime between the 5th and the 26th April you have added the following restriction to emails:
"Only verified email addresses can be displayed publicly or shared with trusted parties."
I can see that's totally reasonable for production, but is rather a pain on sandbox when the only addresses that sandbox can actually verify are with mailinator.
Was this really intended to apply to sandbox?
Until now we haven't want to force our users to create mailinator addresses, and indeed some of our users are in workplaces that prohibit this service. With this new requirement, we'll be unable to get them into our test environment without hacking our normal onboarding flow.
This is also the kind of notification which I thought the ORCID API Users group would be for. We've spent some time troubleshooting, and even now that I know that this was our problem it doesn't appear that I can find any notice for this change in behaviour, i.e.:
No results found for "Only verified email addresses can be displayed publicly or shared with trusted parties".
Should we see this kind of thing appearing here?
Cheers,
Jason.
Demeranville, Tom
Apr 29, 2019, 8:49:09 AM4/29/19
to Jason, ORCID API Users
Hi Jason
First off, sorry this has caused you problems. You are right that this should have been announced on this list. We picked up that we didn't document this last week (April 26th), then your post came in confirming that we really should have. So apologies.
You can see the details of the change on our trello board: https://trello.com/c/vVmgmqUk/5715-unverified-emails-should-not-be-shown-on-public-page-5
Our sandbox replicates the live environment, so yes this change was intended for there too. I'm not quite sure I understand your sandbox use case or how this has impacted you. Sandbox is intended for testing, not production. Could you elaborate?
Our sandbox replicates the live environment, so yes this change was intended for there too. I'm not quite sure I understand your sandbox use case or how this has impacted you. Sandbox is intended for testing, not production. Could you elaborate?
--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.
Demeranville, Tom
Apr 29, 2019, 8:56:40 AM4/29/19
to Jason, ORCID API Users
To clarify my last mail, this change is currently not yet live in production. It exists only in sandbox and our QA systems.
For more info on the sandbox, see https://support.orcid.org/hc/en-us/articles/360006897474-Is-the-Sandbox-different-from-the-Production-Registry-
For more info on the sandbox, see https://support.orcid.org/hc/en-us/articles/360006897474-Is-the-Sandbox-different-from-the-Production-Registry-
Jason
Apr 29, 2019, 7:23:57 PM4/29/19
to ORCID API Users
Thanks for the clarification Tom,
In return: We run a Test Hub instance so that new members can explore functionality and get comfort with writing to the different sections of ORCID sandbox records. It's only after they've demonstrated familiarity with the system, that we let them loose on the production Hub, and thus the production ORCID registry.
For our non-Identity Federation members, we use ORCID as the first authentication mechanism for Hub admin roles based a read-limited call retrieving the record's email (and which we have instructed the user to make at least "trusted parties"). NB: the system we have in place already requires that email to be verified in the production Hub (calling on the production registry), but this is obviously relaxed in our Test environment (calling on the sandbox registry).
To be clear this change would have no effect on our production Hub, or for federated-identity members in our Test environment. For everyone else on Test, we'll now have to require them to create sandbox records that are validated with mailinator addresses - that's a new process and a little urksome, but not huge. For those member organisations where access to mailinator is blocked, we're kind of stumped.
The only hack I can think of is to get these admin users to attempt onboarding to Test, and when they're confronted with the "The Hub cannot verify your email address from your ORCID record." that they stop, and email us with their sandbox ORCID iD. This has the side effect of creating their user in the Hub's database, so that we can copy/paste the ORCID iD. They'll then be able to use the now Hub-known ORCID iD to log in. Obviously that's an inelegant cludge, and educating new to ORCID users to a substandard practise.
To paraphrase the reason given for this change, i.e., that the production registry is littered with misleading, if not outright false, email assertions which when public are both visible and being indexed for searching.
I agree that's undesirable but I guess I'm not sure why the solution is to effectively force unverified email's privacy to private, rather than read-limited; however, our real headache is that this change is affecting sandbox when the given reason is surely irrelevant there.
Thanks also for the pointer to Trello (and which I'll admit to always struggling to navigate). As a request, can I ask that anything that's hitting Launchpad and which is going to affect the behaviour or responses we can expect of the API, should get a post here.
Cheers,
Jason.
Jason.
On Tuesday, 30 April 2019 00:56:40 UTC+12, Demeranville, Tom wrote:
To clarify my last mail, this change is currently not yet live in production. It exists only in sandbox and our QA systems.
For more info on the sandbox, see https://support.orcid.org/hc/en-us/articles/360006897474-Is-the-Sandbox-different-from-the-Production-Registry-
On Mon, Apr 29, 2019 at 1:48 PM Demeranville, Tom <t.deme...@orcid.org> wrote:
Hi JasonFirst off, sorry this has caused you problems. You are right that this should have been announced on this list. We picked up that we didn't document this last week (April 26th), then your post came in confirming that we really should have. So apologies.You can see the details of the change on our trello board: https://trello.com/c/vVmgmqUk/5715-unverified-emails-should-not-be-shown-on-public-page-5
Our sandbox replicates the live environment, so yes this change was intended for there too. I'm not quite sure I understand your sandbox use case or how this has impacted you. Sandbox is intended for testing, not production. Could you elaborate?
On Mon, Apr 29, 2019 at 2:25 AM Jason <jag...@gmail.com> wrote:
Hi ORCID--Sometime between the 5th and the 26th April you have added the following restriction to emails:"Only verified email addresses can be displayed publicly or shared with trusted parties."I can see that's totally reasonable for production, but is rather a pain on sandbox when the only addresses that sandbox can actually verify are with mailinator.Was this really intended to apply to sandbox?Until now we haven't want to force our users to create mailinator addresses, and indeed some of our users are in workplaces that prohibit this service. With this new requirement, we'll be unable to get them into our test environment without hacking our normal onboarding flow.This is also the kind of notification which I thought the ORCID API Users group would be for. We've spent some time troubleshooting, and even now that I know that this was our problem it doesn't appear that I can find any notice for this change in behaviour, i.e.:No results found for "Only verified email addresses can be displayed publicly or shared with trusted parties".Should we see this kind of thing appearing here?Cheers,Jason.
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-a...@googlegroups.com.
Liz Krznarich
Apr 30, 2019, 10:44:19 AM4/30/19
to Jason, ORCID API Users
Hi Jason,
Thanks for the additional detail. A few hours ago we deployed a feature flag that allows us to turn the new 'hide unverified emails' functionality on and off per environment, and we’ve turned it off in sandbox. We plan to keep it disabled in sandbox until further notice, and we'll let you know here in the user group if/when we enable it (either in sandbox or production). We’ll also update our docs about sandbox behavior and privacy settings for emails before we enable it in production.
Cheers,
Liz
---
Liz Krznarich
Tech Lead, ORCID
e.krz...@orcid.org
skype: lizkrznarich
http://orcid.org/0000-0001-6622-4910
Liz Krznarich
Tech Lead, ORCID
e.krz...@orcid.org
skype: lizkrznarich
http://orcid.org/0000-0001-6622-4910
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
Jason
May 2, 2019, 5:44:16 PM5/2/19
to ORCID API Users
Sincere thanks Liz,
That's a great outcome as far as we're concerned.
Cheers,
Jason.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-users+unsub...@googlegroups.com.
Demeranville, Tom
Jul 12, 2019, 7:16:42 AM7/12/19
to Jason, ORCID API Users
We're planning on turning this feature on in production - as of next week (Wednesday) we will not include unverified email addresses in API responses or the public web view.
Please let us know if this is going to affect your integration.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
Jason
Jul 15, 2019, 6:30:57 PM7/15/19
to ORCID API Users
Hi Tom,
Thanks for the heads up.
Off the bat, this won't affect us as we were already testing for '"verified":true' on emails before trusting them.
What we could do with is advice for future proofing.
Now that the verified flag is effectively redundant for consumers, has any thought been given to not returning it in the reponse?
Should we stop testing for this in the knowledge that any email we can see will be '"verified":true'?
Best wishes,
Jason.
Jason.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-users+unsub...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-a...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages