Delegating ORCID Tokens

This is the final blog posting arising from the ORCID Delegation workshop held on the 10th October at Jisc in London (with representatives from Oxford, Imperial, Leeds, LSE, ORCID and Jisc). The previous blogs (Delegating ORCID Tokens – background, Revoking ORCID tokens) covered other incidental outcomes, so I will now get to the main topic – the fact that institutional ORCID users needed to explicitly grant access to third party suppliers in addition to their own institution. This behaviour has a number of undesirable side effects (repeating myself somewhat):

• Communicating this to users can be difficult since they are not always aware of these third parties
• Getting consistent takeup across multiple systems can be difficult (user loses interest) which makes downstream integration more awkward than necessary
• Institution has little visibility of these third party interactions – which can cause problems when suppliers are dropped or other issues arise
• The only way currently round this is to let a supplier use the institutional key – which however then grants them *ALL* the rights can access that the institution has

ORCID uses the OAuth(2) mechanism for authentication and authorization. OAuth already provides the functionality that will allow an institution to generate secondary tokens for third parties and subsequently revoke them:

• When an ORCID owner authorises institutional access, the institution receives two digital tokens:
  • The access token acts as a “key” that is used to access ORCID data via the ORCID API
  • The refresh token can be used to request additional tokens via the OAuth API
• There are two primary ways that the refresh token can be used:
  • To request a new access token when it nears expiry, invalidating the current access token – this has been discussed in the previous posting on revocation
  • To request an additional access token which may have reduced permissions and/or differing expiry, which leaves the current access token intact
• Multiple additional tokens can be requested
• Additional tokens can be invalidated in a similar way to regular access tokens

Obviously, this additional token mechanism is exactly what is required to allow delegated access to third parties. The issue is that there is no standard mechanism for a third party to know that they should go to an institution to get a token instead of ORCID themselves, nor is there a standard way for an institution to deliver that that token securely. There are several approaches to solving this issue:

• ORCID keeps track of additional tokens requested and who they are intended for, and issues them when requested.
  • ORCID will need API enhancements to allow institutions to indicate which tokens are for which supplier (and for a supplier to indicate which institution’s token they require)
  • These enhancements are likely to be ORCID specific rather than vanilla OAuth2 so existing code libraries will not exist
  • Institutions will need to implement and use this API, which may involve rather more information release than is desirable
  • Supplier will need to implement and use this API
  • It is unclear how a person with multiple institutional affiliations might be handled without adding significant complexity
  • Short lived tokens would require a three-way interaction between supplier, institution and ORCID – this will be complex and is unlikely to scale effectively
• Institutions provide an endpoint which the third party always contacts when it needs an access token.
  • This could be implemented as an OAuth2 proxy type of service, which could forward token requests to ORCID on behalf of the institution if an additional token does not already exist, or return an institutional token if the institution in question was not interested in delegation. If developed as a standardised packaged software appliance suitable for running on virtual or cloud infrastructures this could be deployed at an institutional level with minimal effort.
  • Institutions could automatically request and issue short lived tokens relatively easily
  • Institutions retain control over third part interactions
  • Institutions would need a secure (SSL, VPN etc.) network channel to the supplier. This is quite likely to exist already, in practice
• A third party could maintain a shared proxy-type service for use by multiple organisation
  • This would add another party that needs to be trusted into the interaction, adding effectively a second level of delegation.
  • Cost saving against a locally deployed appliance (as described above) may be minimal when the additional complexity of management is taken into account

Ideally, to make the system robust and workable, ORCID owners should have a verified institutional affiliation (or more than one if necessary) attached to their account so that a third party supplier knows who to contact for a delegation token (either directly or via ORCID). Otherwise, another mechanism would need to be found to indicate which institutions can issue tokens for a particular ORCID owners, which would be somewhat redundant. This relationship would also need to be deasserted promptly when the relationship ends. Any of these approaches will require some investment of effort by both ORCID and member institutions for development and ongoing maintenance. The key questions for the community are thus:

1. Primarily, whether there is sufficient interest and desire for a solution to the delegation problem for such an investment to be worthwhile
2. Secondarily, which route is the preferred one. On initial analysis on the day of the workshop, the feeling of the group was that an institutional proxy appliance seemed to be the most attractive option.

As a footnote, Will Simpson of ORCID noted during the meeting that using additional tokens internally for different systems within the institution was also a valid use case in that it allowed ORCID to separate requests from different sources in their logs. This greatly simplifies troubleshooting problems with interactions with multiple institutional systems.

This posting originally appeared on the UK ORCID Consortium blog.

ORCID Token Revocation

At the last Cultivating ORCIDs Meeting in Birmingham in June 2017, I ran a working group looking at different approaches to implementing ORCID IDs. One of the outcomes was the identification of a common issue when it came to ORCID implementations and third party suppliers, namely, that institutional users needed to explicitly grant access to third party suppliers in addition to their own institution. This behaviour has a number of undesirable side effects:

• Communicating this to users can be difficult since they are not always aware of these third parties
• Getting consistent takeup across multiple systems can be difficult (user loses interest) which makes downstream integration more awkward than necessary
• Institution has little visibility of these third party interactions – which can cause problems when suppliers are dropped or other issues arise
• The only way currently round this is to let a supplier use the institutional key – which however then grants them *ALL* the rights can access that the institution has

On the 10th October a small group of interested parties (with representatives from Oxford, Imperial, Leeds, LSE, ORCID and Jisc) were hosted by Jisc in a small gathering to look at this issue and identify a possible route forward for consideration by the UK ORCID Consortium.

At the meeting, Will Simpson of ORCID presented a very useful non-technical overview of how authentication and ORCID/OAuth tokens worked in terms of managing access permissions. Discussion then moved on to the main topic of how ORCID permissions might be delegated to third party providers and, in particular, how to handle the termination of third party arrangements. During these discussions, Will indicated that support for the optional OAuth functionality for token revocation was being considered by ORCID. OAuth is the technology/standard that ORCID uses for authorisation/access control. At the moment, tokens are granted by default for 20 years, or 1 hour for effectively single, short term, use. Naturally, neither of these match the typical duration of a scholar’s relationship with an institution. Minimising the number of active tokens would be good from both a security and “data hygiene” standpoint, so the ability for an institution to relinquish their token when a scholar leaves would be useful in its own right. Scholars can revoke their tokens manually when they leave but it is unrealistic to rely on them to remember to do so.

At the moment, it is possible to work around this situation by making creative use of the OAuth token refresh facility. This functionality is important since it is what will allow an institution to grant tokens to a third party on behalf of an individual researcher (which will be explored in the next posting), but, in this context, it does provide a slightly unorthodox method for effectively relinquishing a token. Intended for use when an existing token nears expiry, a replacement token may be requested with a new expiry date which then invalidates the previous token. However, this can *actually* be done at any time and a 20-year token *can* be replaced by a 1 hour token which can simply be allowed to expire, resulting in no active tokens.

This is a concatenation of two articles posted on the UK ORCID Consortium blog.

Data2paper Poster for 10th RDA Plenary

Data2paper is a cloud-based application to automate the process of compiling and submitting a data paper to a journal without the researcher having to leave the research space or wrestle directly with the journal’s submission system.

Serving the wider research community, data2paper works with academic institutions, publishers, data repositories, funding agencies and organizations interested in research and scholarly communication. Data2paper aims at progressing data papers, enabling data re-use and giving researchers credit for their data.

The development of the original idea was funded as part of the Jisc Data Spring initiative.

SWORDV3 Poster for 10th RDA Plenary

SWORD (Simple Web-service Offering Repository Deposit) is a lightweight protocol for depositing and updating content from one location to another. The SWORD vision is ‘lowering the barriers to deposit‘, principally for depositing content into repositories, but potentially for depositing into any system which wants to receive content from remote sources.

The SWORDV3 project has been funded by Jisc with two key aims for the next generation of the SWORD Protocol:

• To bring SWORD up-to-date with the developments in the repository sphere in the last 5 years, with alignment to new protocols and new use-cases such as data publishing and complex objects.
• To establish community and governance mechanisms for the standard and supporting code libraries to ensure ongoing maintenance and evolution. This will include a technical validation process to allow third party libraries to be hosted under the SWORD brand.

In September, the project was formally announced at PASIG 2017 in Oxford and the RDA 10th Plenary in Montreal. We are looking for expressions of interest in becoming involved as stakeholders in the project: to make suggestions, review activities and meet as required over the coming months. In particular, we are interested in making contact with people who may wish to develop SWORD V3 libraries for their preferred platforms or languages since we aim to provide some support for such activities during the project. Please contact one of the project team  if you are interested in participating, and indicate if you are interested in the technical or community aspects of the project (or both!).

The key members of the project team are:

• Dom Fripp – Jisc (Funder) – Project Manager, SWORD user through the Jisc Research Data Shared Service
• Richard Jones – Cottage Labs Ltd – Technical Lead, SWORD contributor and implementer
• Neil Jefferies – Bodleian Libraries, University of Oxford – Community Lead, SWORD user through Data2paper project (and internally within the Bodleian Library)