Client authentication and authorisation with RAiD

[robleney-ardc]

It is envisaged that 3rd party clients, research management tools for example, will authenticate and authorise with RAiD using OpenID Connect and the OAuth2 authorisation code flow as follows.

1. Registration

AppX Registration: Before anything, AppX must register with RAiD’s platform. During registration, RAiD will provide AppX with a Client ID and a Client Secret. These credentials are used to identify AppX when communicating with RAiD.

2. User Authorization Request

User Initiates Action: The user decides to use AppX to interact with their account on RAiD. For example, the user wants AppX to write data to RAiD on their behalf.
Redirect to RAiD: AppX redirects the user to RAiD’s authorization server, including the Client ID and the type of access it requires (e.g., the ability to write data).

3. User Login and Consent

User Login: The user logs into RAiD (if not already logged in) and is presented with a consent screen showing the access AppX is requesting.
User Consents: If the user agrees, RAiD acknowledges that AppX is authorized to act on behalf of the user within the specified scope (e.g., writing data).

4. Authorization Code Issuance

Authorization Code: RAiD sends the user back to AppX along with an authorization code. This code is a temporary credential that AppX will exchange for an access token.

5. Exchange Code for Token

Code for Token: AppX contacts RAiD’s authorization server directly, providing the authorization code, its Client ID, and Client Secret.
Access Token Issued: After validating these details, RAiD’s server responds with an access token (and possibly a refresh token) to AppX.

6. Writing to RAiD API

API Request: AppX uses the access token to authenticate API requests to RAiD. When AppX wants to write data to RAiD on behalf of the user, it includes the access token in the HTTP headers of its requests.
Data Written: RAiD’s server validates the access token and, if it has the correct permissions, processes AppX’s request to write data.

7. Access Token Lifecycle

Token Expiration: Access tokens are limited in lifespan for security. If AppX’s access token expires or needs additional permissions, it may use the refresh token (if provided) to obtain a new access token without requiring the user to go through the consent process again.

Summary

This flow ensures that AppX can write to RAiD on behalf of the user without ever having access to the user's RAiD credentials. The user has control over the permissions granted to AppX and can revoke them at any time through RAiD's platform. This process leverages web redirects, secure credential exchanges, and token-based authentication to protect the user's security and privacy.