Clear requirements and instructions needed on connecting with the CLARIAH authentication infrastructure

[proycon]

I think we as a group need to put out clear instructions for developers/devops on how to to connect their service to the CLARIAH infrastructure, and clear requirements for software developers about what technologies need to be implemented to connect to this infrastructure (= OAuth2+OpenID Connect).

Internally at HuC I found https://confluence.socialhistoryservices.org/display/HucDI/Satosa , which goes a great job already at describing most aspect, but is not a public resource I think. @janpieterk I don't know if there's already public documentation elsewhere? It may well be that I'm missing things that have already been done.

All the endpoints need to be properly listed somewhere as well. After some searching I found that https://authentication.clariah.nl/.well-known/openid-configuration produces a decent specification, but we need something more accessible.

I also want to raise the point that we need a clearly described procedure to register new clients, whether that it is automatic or human-mediated.

[proycon]

I would suggest we provide some instructions for some common OpenID Connect clients as well, I can provide the necessary info for CLAM, LaMachine, and for Django (via mozilla-django-oidc) in general.

[jblom]

@proycon describing this properly would indeed be a valuable "product" for the CLARIAH (tech) community. I could contribute by sharing:

• how the Media Suite as a service was connected to the CLARIAH auth system (so connected IdPs can login)
• how B&G & CWI as an organisation were added to the CLARIAH auth system (so these new IdPs gain access to CLARIAH services)
• also I could partly go into how user consent is handled (first time login, users are asked to share some attributes with CLARIAH)
• also I could mention a bit how there is not a central authorization mechanism, but this needs to be currently handled by each service itself

I would definitely need some help from @janpieterk as well to be able to paint the full picture, but I'd say I can mention most of the requirements & steps from the CLARIAH service (that wants to be connected to CLARIAH authentication) perspective.

[ddeboer]

The availability of an OIDC-compatible IdP has become relevant for Netwerk Digitaal Erfgoed as well, particularly in our Solid-based collection registration system Solid CRS.

• Does CLARIAH already have an OIDC IdP running that we can use?
• Would extending that provider with Solid capabilities make sense to other parties as well?

[proycon]

@jblom: That would be great yes, I can do the same from a LaMachine perspective. But indeed the ball is first and foremost in the court of @mmisworking and @janpieterk as the service providers to document and disseminate the service.

@ddeboer: So yes, there is an actual OIDC IdP running at KNAW HuC (using Satosa), for CLARIAH as a whole: authentication.clariah.nl. It works quite nicely. But the fact that it's not publicly documented or actively shared by CLARIAH yet led to me open this issue.

(regarding your Solid question, I didn't know about that yet so I can't answer that, will leave it up to @mmisworking and @janpieterk )

[janpieterk]

Will look into it with https://github.com/jblom. Jaap: I will contact you directly. JP

…

-- KNAW Humanities Cluster (Afdeling Digitale Infrastructuur) Oudezijds Achterburgwal 185 / Postbus 10855 / 1001 EW Amsterdam tel. 020-4628509 ***@***.*** aanwezig: ma-di, do-vr

Op 14 jun. 2021, om 13:08 heeft Jaap Blom ***@***.***> het volgende geschreven: I would definitely need some help from @janpieterk as well to be able to paint the full picture, but I'd say I can mention most of the requirements & steps from the CLARIAH service (that wants to be connected to CLARIAH authentication) perspective.

[proycon]

just for future reference: @janpieterk and @jblom are working on this in the connect-service-4auth branch of this repo.

[ddeboer]

#7 was merged. Can we close this issue or is there more to be done?