Existing OAuth users API OIDC Authentication#11671
Merged
ofahimIQSS merged 16 commits intodevelopfrom Aug 25, 2025
Merged
Conversation
…ing OAuth users WIP
GPortas
changed the base branch from
develop
to
11605-existing-external-users-api-auth
GPortas
force-pushed
the
11645-old-oidc-users-api-auth
branch
from
d6b36ef to
4697002
Compare
This comment has been minimized.
This comment has been minimized.
3 similar comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
GPortas
changed the base branch from
11605-existing-external-users-api-auth
to
develop
…UserByOIDCBearerToken
This comment has been minimized.
This comment has been minimized.
1 similar comment
This comment has been minimized.
This comment has been minimized.
…dc-users-api-auth
…nged the expected received idp claim name for both Shib and OAuth users
…-use-oauth-user-on-id-match turned on
This comment has been minimized.
This comment has been minimized.
1 similar comment
This comment has been minimized.
This comment has been minimized.
GPortas
added
Size: 10
Contributor
Author
|
Waiting for #11622 to be merged |
GPortas
added
the
Status: Waiting for Related Issues/PRs
This comment has been minimized.
This comment has been minimized.
…dc-users-api-auth
GPortas
removed
the
Status: Waiting for Related Issues/PRs
This comment has been minimized.
This comment has been minimized.
pdurbin
approved these changes
Aug 21, 2025
| - Allows the use of a Shibboleth user account when an identity match is found during API bearer authentication. This feature enables automatic association of an incoming IdP identity with an existing Shibboleth user account, bypassing the need for additional user registration steps. This feature only works when the feature flag ``api-bearer-auth`` is also enabled. **Caution: Enabling this flag could result in impersonation risks if (and only if) used with a misconfigured IdP.** | ||
| - ``Off`` | ||
| * - api-bearer-auth-use-oauth-user-on-id-match | ||
| - Allows the use of an OAuth user account (GitHub, Google, or ORCID) when an identity match is found during API bearer authentication. This feature enables automatic association of an incoming IdP identity with an existing OAuth user account, bypassing the need for additional user registration steps. This feature only works when the feature flag ``api-bearer-auth`` is also enabled. **Caution: Enabling this flag could result in impersonation risks if (and only if) used with a misconfigured IdP.** |
Member
There was a problem hiding this comment.
I'm confused. What is the impersonation risk? 🤔
Contributor
Author
There was a problem hiding this comment.
If the OIDC claims include an identity provider ID and a user ID that match an authenticated user in Dataverse, but the provider that issued the claims is not actually the one that originally created that user, this would represent an impersonation issue. However, as mentioned in the docs, this scenario can only occur if the IdP is misconfigured.
github-project-automation
Bot
moved this from In Review 🔎
to Ready for QA ⏩
in IQSS Dataverse Project
Co-authored-by: Philip Durbin <philip_durbin@harvard.edu>
Co-authored-by: Philip Durbin <philip_durbin@harvard.edu>
This comment has been minimized.
This comment has been minimized.
1 similar comment
|
📦 Pushed preview images as 🚢 See on GHCR. Use by referencing with full name as printed above, mind the registry name. |
Contributor
|
tested using github account - looks good to me. Merging. |
github-project-automation
Bot
moved this from QA ✅
to Merged 🚀
in IQSS Dataverse Project
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Introduces a mechanism that allows linking incoming bearer tokens with the following existing OAuth accounts: Google, ORCID, and GitHub.
This mechanism is enabled through the new
api-bearer-auth-use-oauth-user-on-id-matchfeature flag.The behavior of
api-bearer-auth-use-shib-user-on-id-matchhas also been modified, now expecting the Shibboleth IdP provider id comes from the claim namedidpinstead ofShib-Identity-Provider, since the idp claim is common to both Shibboleth and OIDC IdPs within the scope of CILogon.Which issue(s) this PR closes:
Special notes for your reviewer:
This branch is including the changes from #11622.
Suggestions on how to test this:
Open the QA server Single Page Application (SPA) at: https://qa.dataverse.org/spa
On CILogon, Log in using one of the supported OAuth providers: Google, ORCID, or GitHub.
To test the behavior for an existing account, ensure that the Google, ORCID, or GitHub account you use was already registered in Harvard Dataverse.
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
No
Is there a release notes update needed for this change?:
Yes, attached.
Additional documentation:
None