Permissions Preauthorization Technical Working Group

Summary

ORCID has identified that our users would like the ability to proactively grant all (or a subset of) member organizations permission to modify their record, removing the burden of directly interacting with each of our currently 800+ members - and so would our members.

The Permissions Pre-Authorization Technical Working Group (PPTWG) is charged with reviewing the proposed proactive permissions workflows and providing technical advice on implementation options. The group will consider the following questions:

  • What risks are there in providing proactive permissions?
  • How can these risks be mitigated?
  • How should users request preauthorization?
  • How should preauthorization tokens be generated and transmitted?

The intended output is a short report addressing these questions and making a recommendation on how to best handle generation and transmission of pre-authorized permissions tokens used to access a user’s ORCID record.

Background

To date ORCID has relied on the OAuth2 framework, which relies on the resource owner being part of a flow that results in a token that allows access to that resource (for a quick review of common OAuth2 flows see this article). The desired new functionality takes ORCID outside of common OAuth2 norms and, therefore, requires extra consideration and a community-driven recommendation.  A selection of technical workflows for exchanging security tokens will be presented to the group for discussion.  The PPTWG will address the technical considerations around how to accomplish secure pre-uthorization. User experience, policy, and legal considerations are outside the remid of thisi group; they will be considered ORCID Trust Working Group.

Membership

This ad hoc group was initiated by ORCID’s Executive Director and Technical Director.  Membership is voluntary, and consists of individuals who have an interest in the topic, and who have technical and practical knowledge of APIs, authentication, encrypted token exchange, user-granted permissions, OAuth2, OIDC, and symmetric and asymmetric encryption.  The group will be chaired by Simeon Warner, a member of the ORCID Board and Director of Library Linked Data and Repository Architecture at Cornell University Library. Simeon will be supported by Rob Peters, the ORCID Technical Director. 

ORCID will recognize other group members on this page as they join.

Structure and Process

We expect PPTWG members to attend four one-hour web meetings over the course of two months, and to dedicate about four hours to reviewing documents outside of the meetings. ORCID will generate draft documents, provide staffing and logistical support, and take meeting notes.

  • Meeting 1: Introduce members and review group charge. Discuss problem being addressed and review proposed workflow. Initial discussion of risks.   Homework: Comment on the proposed workflow.
  • Meeting 2: Discuss options for generating and transmitting pre-authorization tokens. Homework: Comment on options paper.
  • Meeting 3: Discuss proposed solutions/recommendations, and determine associated risks and mitigations. Homework: Comment on draft recommendation.
  • Meeting 4: Finalize recommendation.

To encourage a “safe space” for frank conversations, discussions during meetings and online conversation will be kept confidential; meetings and other communications, including document comments, will be considered closed. 

Progress and Reports

As with other ORCID topic groups, activity, status and outcomes of the group will be shared with the ORCID Board.  The group will together determine what can and should be shared more broadly with the community.

Public outputs of the PPTWG will be added to this page and announced on the ORCID blog when finalized.

Contact

For additional information about the working group, please contact us.