OpenAIRE Authentication - Authorization
In OpenAIRE there are 4 types of Authorities:
- Special Authorities such as PORTAL_ADMINISTRATOR or CLAIMS_CURATOR etc.
- Curator of entities with a specific type (e.g CURATOR_COMMUNITY, Curator of communities)
- Manager of an entity (e.g FUNDER_EC_MANAGER, Manager of Funder EC (European Commission)
- Member of an entity (e.g FUNDER_EC, Member of Funder EC)
Type
Type can be any type defined from OpenAIRE such as community, funder, ri (Research Initiatives), institution, project, datasource etc.
ID
ID is any identifier or alias used by OpenAIRE services to identify an entity such as ec (EC - European Commission), egi (EGI - European Grid Infrastructure) etc.
OpenAIRE services are using Spring Security to authenticate users and check their authorities in OpenAIRE entitities. All these services are sharing a Spring Session through a Redis Database, which is created from OpenAIRE Login Service where a user authenticates himself through AAI Single Sign On Service. The Session contains an OIDCAuthenticationToken Object from MitreId-Connect.
Role Management
This web service provides 4 controllers with methods to create, assign or revoke roles from users and retrieve information of users with a specific Authority. If Authorities' list of a user has been changed, then his active sessions will be updated automatically from this service. There are two options in order to update user's Authorities.
- Give a header named Session with value the session id.
- Give user's email. If this parameter is present then it has priority.
Admin Controller ("/admin")
Authority format: (TYPE)_(ID)_MANAGER, user must have Authority (TYPE)_(ID) in order to acquire this Authority.
| Method | Path | Path Variables | Params | Description |
|---|---|---|---|---|
| DELETE | /{type}/{id} | type: Type of Entity, id: ID of Entity | email: Email of user (optional) | Remove Authority (TYPE)_(ID)_MANAGER from user(s) with this email or logged in user, if email isn't provided. |
| GET | /{type}/{id} | type: Type of Entity, id: ID of Entity | email: Set to false to hide email information, default: true, name: Set to false to hide name information, default: true | Retrieve information of users with Authority (TYPE)_(ID)_MANAGER. |
| POST | /{type}/{id} | type: Type of Entity, id: ID of Entity | email: Email of user, force: if true and Authority (TYPE)_(ID) doesn't exist or user has not Authority (TYPE)_(ID), the Authority will be created and assigned to user, default: false | Assign Authority (TYPE)_(ID)_MANAGER to user(s) with this email or logged in user, if email isn't provided. |
Curator Controller ("/curator")
Authority format: CURATOR_(TYPE)
| Method | Path | Path Variables | Params | Description |
|---|---|---|---|---|
| DELETE | /{type} | type: Type of Entity | email: Email of user (optional) | Remove Authority CURATOR_(TYPE) from user(s) with this email or logged in user, if email isn't provided. |
| GET | /{type} | type: Type of Entity | email: Set to false to hide email information, default: true, name: Set to false to hide name information, default: true | Retrieve information of users with Authority CURATOR_(TYPE). |
| POST | /{type} | type: Type of Entity | email: Email of user, force: if true and Authority CURATOR_(TYPE) doesn't exist, the Authority will be created, default: false | Assign Authority CURATOR_(TYPE) to user(s) with this email or logged in user, if email isn't provided. |
| POST | /{type}/create | type: Type of Entity | description: Desciption of Authority CURATOR_(TYPE) (optional) | Create Authority CURATOR_(TYPE). |
Member Controller ("/member")
Authority format: (TYPE)_(ID)
| Method | Path | Path Variables | Params | Description |
|---|---|---|---|---|
| DELETE | /{type}/{id} | type: Type of Entity, id: ID of Entity | email: Email of user (optional), force: if true and user is admin of this enity then both roles will be removed, default: false | Remove Authority (TYPE)_(ID) from user(s) with this email or logged in user, if email isn't provided. |
| GET | /{type}/{id} | type: Type of Entity, id: ID of Entity | email: Set to false to hide email information, default: true, name: Set to false to hide name information, default: true | Retrieve information of users with Authority (TYPE)_(ID). |
| POST | /{type}/{id} | type: Type of Entity, id: ID of Entity | email: Email of user, force: if true and Authority (TYPE)_(ID) doesn't exist, the Authority will be created, default: false | Assign Authority CURATOR_(TYPE) to user(s) with this email or logged in user, if email isn't provided. |
| POST | /{type}/{id} /create | type: Type of Entity, id: ID of Entity | description: Desciption of Authority (TYPE)_(ID) (optional) | Create Authority (TYPE)_(ID), along with (TYPE)_(ID)_(MANAGER). |
Super Admin Controller ("/super")
Methods to create other roles, regardless the previous schema.
| Method | Path | Path Variables | Params | Description |
|---|---|---|---|---|
| POST | /create | - | name: Name of Authority description: Desciption of Authority (optional) | Create Authority with this name e.g Test Authority will be TEST_AUTHORITY. |
| POST | /assign | - | email: Email of user | Assign Authority PORTAL_ADMINISTRATOR to user(s) with this email or logged in user, if email isn't provided. |
| DELETE | /remove | - | email: Email of user | Remove Authority PORTAL_ADMINISTRATOR from user(s) with this email or logged in user, if email isn't provided. |