Time
S
Nick
Message
04:16 axfelix joined #dataverse
07:19 mbjones joined #dataverse
07:19 mbjones joined #dataverse
07:34 bencomp joined #dataverse
12:49 pdurbin
JonathanNeal: nice chatting with you in #indiewebcamp: http://indiewebcamp.com/irc/2014-07-20/line/1405877298 :)
14:01 mbjones joined #dataverse
14:13 mbjones_ joined #dataverse
14:47 mbjones joined #dataverse
15:12 axfelix joined #dataverse
15:14 JonathanNeal
pdurbin: yes, nice chatting with you, too. I was surprised when you mentioned #dataverse, because I don’t believe I ended up here from #indiewebcamp!
15:15 pdurbin
JonathanNeal: oh, well, I switched the channel name from #dvn to #dataverse
15:24 JonathanNeal
pdurbin: Yes, I remember that recent move, but I’m referring to how I ended up here anyway. I think I came here because I love good data models and was working on a way to organize large, varied groups of data in June/July of 2013.
15:34 * pdurbin
loves good data models too
15:35 pdurbin
JonathanNeal: looks like you joined here: http://irclog.iq.harvard.edu/dvn/2013-10-24#i_3993 (and I'm glad you did!) :)
15:36 JonathanNeal
oh, you invited me, so maybe I did come from indiewebcamp! do you work on davaverse? do you also contribute to indie web camp apps?
15:51 pdurbin
JonathanNeal: I do work on dataverse: https://github.com/IQSS/dataverse/commits/master?author=pdurbin ... indiewebcamp is more of a side interest. related though, I'm into owning my own data
16:48 pdurbin
bencomp: are any of your Shib users potential API users?
16:49 bencomp
pdurbin: yes
16:50 mbjones_ joined #dataverse
16:54 pdurbin
bencomp: and what happens when they leave their university? They can no longer log in via Shib. But their API key still works... sounds like a problem
16:55 pdurbin
balo: you're a shib guy
16:58 * balo
.
16:58 balo
still not really just used in the past :)
16:58 pdurbin
balo: but do you see the problem I'm trying to talk about?
16:59 balo
processing... :D
17:05 balo
so if i understand it correctly: you have the app which can log in users via shib idp. those users can register apps, get api key and use the api with it. then you don't know if the user is still an active user (and could log in or not) and they can use the api
17:05 pdurbin
sort of
17:05 pdurbin
they don't register apps
17:05 pdurbin
well
17:06 balo
i meant api consumer apps :)
17:06 pdurbin
let's just say they want to hack around with curl to start :)
17:06 pdurbin
so they click the "generate api key" button in the gui, which they've logged into via shib
17:06 balo
yeah, it's the same
17:06 pdurbin
now they have an api key
17:06 balo
that's a tough question, indeed
17:07 pdurbin
oh good ;)
17:10 balo
imho you will need a service application above the user storage for that. a simple api for example. which can tell that a user have a permission or not
17:10 balo
i'm thinking about it hard
17:10 pdurbin
balo: I'll have a diagram to show everyone in a bit
17:17 balo
maybe if the api keys are in the same user storage as the users (or at least the idp can read from it) you can write a custom login handler for usernames + api keys. but i'm not really sure you can authenticate users without browser redirections
17:20 balo
meh, they wrote an ugly browser authenticator for emulate the browser: http://predic8.com/shibboleth-web-services-sso-en.htm :D
17:20 pdurbin
hmm. maybe they question is... how would one use `curl` with shib anyway? like you said... typically a browser is involved
17:22 bencomp
I'll read up later - time to go home and eat
17:22 balo
afaik you can't. shib should have a REST api like OpenAM
17:23 balo
the best would be to leave shib out of this game
17:23 balo
if you have control over the user datastore and you can write a restricted webservice to solve this issue...
17:26 balo
but i understand your use-case and it sounds legit
17:26 pdurbin
ok, here's the latest proposal diagram: https://raw.githubusercontent.com/IQSS/dataverse/master/doc/Architecture/UsersAndGroups.png
17:27 pdurbin
we just updated this as well: https://github.com/IQSS/dataverse/blob/master/doc/Architecture/auth.md
17:27 pdurbin
JonathanNeal: ^^
17:30 pdurbin
balo: are you suggesting Shib users shouldn't be allowed to generate an API key for themselves?
17:30 balo
<off> the btw I moved to Brno for 2months and now I'm working for RedHat as an intern :)
17:31 balo
oh, i assume then you have to deal with multiple idp-s? :D
17:32 pdurbin
yes. multiple IdPs
17:32 pdurbin
all the IdPs ;)
17:34 balo
yeah, that makes sense for dataverse. then you can't do much about it :/
17:34 pdurbin
yeah
17:34 balo
maybe you can ask them to validate every 6 months with a login
17:34 balo
you just deactivate them after lastlogin+6month
17:35 balo
if that's acceptable
17:36 pdurbin
balo: that was my thought! every 6 months :)
17:37 balo
yeah, kind of makes sense if we talk about students :)
17:39 pdurbin
yeah
17:39 pdurbin
for now I've linked to this chat here: https://github.com/IQSS/dataverse/commit/b39f51bdd454ed6255c793ea8540f41e02b90206#commitcomment-7084661
17:49 pdurbin
oh good, a reply on that comment already :)
17:52 balo
yep, but it's the same problem. every idp can use their own kind of ldap, and nobody will implement / provide interface for this kind of information
17:54 pdurbin
yeah. laws in place to prevent querying of ldap directories and such
20:11 mbjones joined #dataverse
20:15 mbjones joined #dataverse
20:16 mbjones joined #dataverse
20:17 mbjones joined #dataverse
20:20 mbjones joined #dataverse
