Versions Compared

Old Version 3

changes.mady.by.user Bruce Hoff

Saved on

compared with

New Version 4

changes.mady.by.user Bruce Hoff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagejson
{
	"description": "In order to download a file the user will need to provide oreone oreor more GA4GH passport visa claimclaims.  Such a claim will be provided by the linked GA4GH passport broker.",
	"implements": [
		{
			"$ref": "org.sagebionetworks.repo.model.download.Action"
		}
	],
	"properties": {
		"brokerRedirectUrl": {
			"description": "The redirect URL of the passport broker that provides the passport visa claims needed to access data.",
			"type": "string"
		},
		"visaNames": {
			"description": "The name of the visas that the to be provided.",
			"type": "array",
			"items": {
				"type": "string"
			}
		}
	}
}

...

Synapse already uses OpenID Connect (OIDC) to support login via “Google” and to link an ORCID to a Synapse account. For the login case, information from Google is used to link the caller to a Synapse user ID. The final product of the OIDC process is a new Synapse access token that encodes both the user’s ID and the scope of the token. The Synapse access token is a signed JSON Web Token (JWT). The Synapse access token can be used by both web and programmatic clients to authenticate for all Synapse API callsrequests.

The GA4GH ‘Data Passports' specification extends the basic OIDC process to enable a passport broker to provide a passport clearinghouse with a passport containing one or more visa claims. See also: ‘AAI OIDC Profile’. Specifically, the access token (also a JWT) provided by the broker, to the clearinghouse will include an entry for the caller’s passportspassport.

We propose extending the Synapse OIDC support to not only “login” via a broker but to also capture the broker provided passport in the resulting Synapse access token.

...

By appending claims to the resulting Synapse access token, we can ensure that the visa visas are available to both web and command line clients. In the next section we will cover how the Synapse access tokens with embedded visa claim JWTs can be used for download authorization.

...

  • Validate signature and expiration of each visa.

  • Validate the conditional relationship between visas. For example, a via visa might include a condition such that it is only valid if another visa also exists. For such a case, the dependent visa would be invalid if its dependency were missing.

...