Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bona fide referer workflow; implement bonafidebot #1523

Closed
7 tasks done
opqdonut opened this issue Aug 22, 2019 · 10 comments
Closed
7 tasks done

Bona fide referer workflow; implement bonafidebot #1523

opqdonut opened this issue Aug 22, 2019 · 10 comments
Labels
Elixir Organization

Comments

@opqdonut
Copy link
Contributor

opqdonut commented Aug 22, 2019

We need to support applying for a bona fide status. The application should work roughly like this:

  • User applies for a bona fide catalogue item in REMS and names a referer (who should already have an idp-provided bona fide status)
    • Form should have: referer email address, free text field, and a license
  • Referer should get an email, and be able to approve/reject the user once logged in to REMS
  • If the referer approves, the application is approved and an entitlement to the bona fide resource is granted
  • Elixir AAI reads the bona fide entitlement from REMS (via permission API Implement ELIXIR Permissions API #1319)
    • This should be a ResearcherStatus visa with "by": "peer"
  • Bona fide status is pushed to Elixir via an API (Pushing bona fide status #2513)
  • Sometime later a super-user (or rather, a human handler for the workflow in question) can log in and close or revoke the application thus ending the entitlement and bona fide status (e.g. does not trust person anymore)

Plan:

  • bona fide status is modeled as a catalogue item with a default workflow that has bonafidebot as handler
  • bonafidebot sends a decision request by email to the given address (like review request Reviewer/decider invitation #2040)
  • the referer clicks on the link in his email, logs in, and his bona fide status (or lack of it) is sent by Elixir AAI to REMS (requires Configurable extra user attributes #2130 Reading bona fide status from IDP #2142).
    • The referer is given the decider role for the application.
  • bonafidebot waits for the decision from the referer, verifies the situation and responds with a clear message
    • possibility for bots to return (error) messages to the user directly (split out to Bona fide bot UX improvements #2511)
    • bonafidebot approves when decider approves and has bona fide status
    • bonafidebot rejects when decider rejects
    • bonafidebot rejects when decider does not have bona fide status
      • or perhaps the application should be left waiting and the referer can try to get a bona fide status and try again?
  • customize email text for decision request (currently it's a generic "Bonafide Bot has requested a decsion from you ...") (split out to Bona fide bot UX improvements #2511)
    • one option is to just use extra-translations to override the email text for the bonafide rems instance
  • generating ResearcherStatus visas (in addition to the current ControlledAccessGrants visas) (split out to Pushing bona fide status #2513)

Notes and questions:

  • Later, bonafidebot could be an external integration that uses event notifications (instead of a REMS core feature) (Event notifications #2095)
  • No bot is needed if the decision request command handler checks the bona fide status
    however, the bot solution allows us to isolate the bona fide -related code in one place.
  • Display a message that the user does not have bona fide status when trying to approve? This would require specific code and break the isolation. A bot message would not.
  • A review request or decision request? A decider is more natural to have the other close/reject commands than just a reviewer.
  • There are separate idp-provided bona fide status, and REMS-provided bona fide status
    • Clarify: Can someone who has received bona fide status from REMS give out further bona fide statuses after relogging (when idp can see from REMS they have bona fide)?
      • Answer: No
  • Idea: workflow could restrict which groups (via user attributes) can can act as decider (kinda similar to Pre-defined deciders for decider workflow #2069)
    • This would allow for a nicer UX in the case where the referer does not have the right bona fide status
@opqdonut
Copy link
Contributor Author

Awaiting decision / spec.

@Macroz Macroz added Epic Too big, should be split and removed Blocked labels Oct 24, 2019
@Macroz
Copy link
Collaborator

Macroz commented Oct 24, 2019

Let's plan this further by splitting into separate tasks. Not blocked i.e. required feature and planning can proceed and waits implementation.

Bot can be suitable for this.

Should decision request (or comment request) always allow adding by email that sends an invitation to REMS? It is likely that at the beginning of any REMS instance, the people have not yet logged in to REMS so won't be available in the autocomplete because they are not in the users table.

@opqdonut
Copy link
Contributor Author

opqdonut commented Apr 28, 2020

Architecture idea:

bonafidebot can either be in REMS, or an external intergration that uses event notifications (#2095)

Other ideas:

  • no bot is needed if the decision request command handler checks the bona fide status
    • however, the bot solution allows us to isolate the bona fide -related code in one place

@mikael-linden
Copy link

For good usability, REMS should not allow the decider to approve an application if they don't have the bona fide status themselves. Instead, it should provide an informative message to the user why they can't approve the application.

Notice also that there are two ways to receive the bona fide status:
(1) User's Home Organisation (its IdP) tells the user is a researcher.
(2) A user qualifying to (1) vouches for the bona fide status (via this REMS feature)
In other words, the endorsement chain has just one link; a person who has received their bona fide qualifications via endorsement in REMS cannot endorse other persons. This feature is done by the IdP releasing proper bona fide status attribute. The REMS implementation must just check the endorser's bona fide status from the IdP's attribute and not from its internal database.

@opqdonut
Copy link
Contributor Author

Yes, thanks for the clarification, that was our understanding too.

The message is also a good point.

@Macroz Macroz added the Blocked label Apr 28, 2020
@Macroz
Copy link
Collaborator

Macroz commented Apr 28, 2020

Waiting for a couple tasks and review in meeting this week. Plan seems possible with no big issues. I updated the task to reflect the general understanding.

@Macroz Macroz changed the title Referer Referer (bona fide) Apr 28, 2020
@opqdonut opqdonut added the Elixir Organization label Apr 30, 2020
@jaakkocsc jaakkocsc added this to the ELIXIR Bona Fide milestone May 7, 2020
@opqdonut opqdonut changed the title Referer (bona fide) Bona fide referer workflow; implement bonafidebot Aug 31, 2020
@opqdonut opqdonut removed Blocked Epic Too big, should be split labels Aug 31, 2020
@opqdonut opqdonut self-assigned this Nov 24, 2020
@opqdonut opqdonut removed their assignment Dec 3, 2020
@jaakkocsc
Copy link
Collaborator

We've now received API credentials on ELIXIR AAI for pushing the bona fide grants. But no clear spec on what to push yet.

@jaakkocsc
Copy link
Collaborator

jaakkocsc commented Dec 18, 2020

An example content to push:
{ "jku": "https://login.elixir-czech.org/oidc/jwk", "kid": "rsa1", "typ": "JWT", "alg": "RS256" } { "sub": "[email protected]", "ga4gh_visa_v1": { "asserted": 1588240500, "by": "peer", "source": "https://elixir-europe.org/", "type": "ResearcherStatus", "value": "https://doi.org/10.1038/s41431-018-0219-y" }, "iss": "https://login.elixir-czech.org/oidc/", "exp": 1639478414, "iat": 1607942414, "jti": "1f2aec8f-7a5b-4200-8dbb-23048f8fb420" }

@jaakkocsc
Copy link
Collaborator

Approved push spec is very simple: we just pass the elixir-id as an URL parameter and that's it:
https://perun.elixir-czech.cz/rems/?elixirid={elixir_user_id}

@opqdonut
Copy link
Contributor Author

opqdonut commented Jan 7, 2021

moved leftovers to #2511 #2513

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Elixir Organization
Projects
Archived in project
Development

No branches or pull requests

4 participants