[CWB] Support OIDC authentication, please

Hardie, Andrew a.hardie at lancaster.ac.uk
Thu Jul 18 17:05:31 CEST 2024 

Hi Martin,

All interesting. A couple of points...

I wouldn't want to implement this on the Lancaster server, since most of our users are external to Lancaster University, and lots aren't at any university. (Plus cqpweb.lancs.ac.uk  usually runs the bleeding edge code, so not always sensible to trust it to play nicely with external services.) So I'm viewing this possible feature as something that would be added for others not myself.

The headache is then that it is not a matter of dealing with a single institutional system, but rather with whatever range of systems are relevant to whoever might want to implement it on their CQPweb server, while maintaining the possibility of not using any external system at all.  So really, the task would be


  1.  Learn all about the subject area. (I really don't know anything. E.g., I have no idea about Shibboleth at all, beyond having vaguely heard of it.)



  1.  Set up a separate dev / test server



  1.  Amend the code so that it can either use the internal login system, or an institutional system. (Or both at once??)



  1.  One thing I'm particularly worried about here is the possible need for a major rewrite of the exiting user account system to allow it to co-exist with a federated system. That would be no fun at all, to put it mildly. (BTW, BNCweb uses Apache authentication, but CQPweb doesn't - user accounts, login, etc. are all managed internally, and the user account system is interlinked with everything in the codebase pretty much)


  1.  Amendments would have to include,  for federated login, auto account creation on the system, since account specific info like query history, defined subcorpora, uploaded corpora etc. can't be ephemeral


  1.  Make sure this is done in an HTTP-daemon neutral way (since Apache cannot assumed)... and/or document multiple times over for different daemons.


  1.  Write the appropriate configuration code (config variables? done in the admin UI?)  & explain in the manual


  1.  Work out the procedure (or the many procedures???) for registering as a service, determine what info needs to be inserted at the CQPweb end for that to work (and how), & explain all that in the manual

That list simply fills me with dread. It seems like a lot of work for very little benefit (is signing up for an account on a CQPweb server really so onerous for users?)

But if you are able to round up suitable expert advice and it turns out not to be as terrifying as it seems on the face of it, I would be open to it.

best

Andrew.


From: cwb-bounces at sslmit.unibo.it <cwb-bounces at sslmit.unibo.it> On Behalf Of Martin Wynne
Sent: Thursday, July 18, 2024 9:50 AM
To: cwb at sslmit.unibo.it
Subject: [External] Re: [CWB] Support OIDC authentication, please

Dear Andrew et al,

We've been thinking about this in Oxford, and it would be extremely useful to have OIDC, or some other way of allowing users to log in with their institutional credentials, rather than issuing and managing user accounts ourselves.

I did get Shibboleth working in the past with BNCweb (for the benefit of other listeners, BNCweb is a modified version of CQPweb) in the past, and, once we had the server set up and registered as a Shibboleth service provider, with the relevant keys and certificates in place it was only a matter of changing the apache configuration to require Shibboleth authentication to access the BNCweb application. It appears that OIDC is a preferred way to do this nowadays, rather than native Shibboleth.

I discussed this briefly with technical folks in the CLARIN research infrastructure, who recommended OIDC as a solution, but I also don't know enough about how to implement it without looking into it further. I do know that as well as the technical setup, you'd need to register with the UK Federation as a trusted Shibboleth service provider, which would probably involve going through your institutional contact in IT Services in your university, but shouldn't be too onerous.

There are a number of online services which use shibboleth-based login (you can see a list at https://www.clarin.eu/content/easy-access-protected-resources) but as far as I can see, none of them are instances of CQPweb, and I can't tell if they use OICD.

I'd be interested in taking this further and getting more advice on how to implement OIDC and how to make it work with CQPweb, and could ask CLARIN experts in this domain to help.

Best wishes,
Martin
On 27/06/2024 04:52, Hardie, Andrew wrote:

Speaking only for myself, I don't understand enough about OIDC authentication to say whether or not this is possible - I certainly couldn't implement it without a lot of work learning about it.



What do others think - is this a necessary feature, or not?



best



Andrew.



From: cwb-bounces at sslmit.unibo.it<mailto:cwb-bounces at sslmit.unibo.it> <cwb-bounces at sslmit.unibo.it><mailto:cwb-bounces at sslmit.unibo.it> On Behalf Of ???
Sent: Friday, June 14, 2024 9:46 PM
To: cwb at sslmit.unibo.it<mailto:cwb at sslmit.unibo.it>
Subject: [CWB] Support OIDC authentication, please



Thus, we can integrate CQPweb with other systems.




---------

Vincent





_______________________________________________

CWB mailing list

CWB at sslmit.unibo.it<mailto:CWB at sslmit.unibo.it>

http://liste.sslmit.unibo.it/mailman/listinfo/cwb



--

Senior Researcher in Corpus Linguistics

Faculty of Linguistics, Philology and Phonetics, University of Oxford

National Co-ordinator, CLARIN-UK

martin.wynne at ling-phil.ox.ac.uk<mailto:martin.wynne at ling-phil.ox.ac.uk>

https://orcid.org/0000-0002-4155-0530
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://liste.sslmit.unibo.it/pipermail/cwb/attachments/20240718/b74a87a6/attachment-0001.html>

More information about the CWB mailing list