Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use case: allow applications access; applications can create annotations on behalf of application users #37

Open
jblom opened this issue May 8, 2023 · 0 comments
Open

Use case: allow applications access; applications can create annotations on behalf of application users #37

jblom opened this issue May 8, 2023 · 0 comments
Assignees
@brambg
Labels
enhancement New feature or request

Comments

@jblom
Copy link

jblom commented May 8, 2023

To make it very explicit: the goal is to enable mediasuite.clariah.nl to work directly with AnnoRepo, so no import/export is required between the MS and AnnoRepo (which would be very useful for other applications as well).

One thing that stands in the way currently is that AnnoRepo only seems to support individual users:

  • users can get an API key
  • users can CRUD their own annotations
  • users can give other users access to annotations (or just via annotation containers only?)

This should be fine for individual users, but not for applications that should be able to create annotations on behalf of (known, logged in) users, e.g. in the following way:

  • application can get an API key
  • application can CRUD annotations on behalf of user (annotation will then be OWNED by user)
  • for each call the application should send the OpenID access_token of the user
  • AnnoRepo checks the access_token with SATOSA (is the user logged in)

I guess the consequence is that AnnoRepo either grants a:

  • API key for user (and simply ties that key to a AnnoRepo user)
  • API key for an application (and expects each request to include the API key + an OpenID access_token

A consequence of this is:

  • MS user x created a bunch of annotations
  • MS user x now wants to work directly with AnnoRepo to do some sort of analysis
  • When requesting an API key, the user must first login using SATOSA, so AnnoRepo can figure out for which user the API key is for.

So when considering this, it seems to make sense to have:

  • a CLARIAH user gets an API key tied to their SSO ID (by logging into SATOSA first); however AnnoRepo does not expect an access_token, since users won't implement this (e.g. in their Jupyter notebooks)
  • a "homeless user" gets a "simple" API key (no access_token expected)
  • an applications gets an API key (AnnoRepo always expects an access_token in the payload)

Ok these are some first thoughts on how this could work.

Note that: the Media Suite has implemented the so-called Authorization code flow, using the aforementioned access_tokens (and btw refresh_tokens), that enables applications to call APIs on behalf of a user.
@brambg brambg self-assigned this May 10, 2023
@brambg brambg added the enhancement New feature or request label May 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brambg brambg

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jblom @brambg