Skip to content

10 7 2024 Tech Team Report

Jump to bottom
qqmyers edited this page Oct 7, 2024 · 3 revisions

10-7-2024

Logged Tasks

                            Date             Task Hours (Main) Hours (EOLS) Hours (PII) Hours (QDAS)
30-Sep-2024 Reporting, meeting, try hardcoding an attribute to trigger OTP, try various flows with OTP+ condition, Conditional OTP step, etc., read Mesh paper, reply re authorship 5
2-Oct-2024 Investigate OTP if setup condition, try exposing account page for users to setup OTP, try Conditional OTP with organization attribute - works - plan to use title for OTP choice, update open PRs to 6.4/latest. 3
3-Oct-2024 Switch to description (title already used), implement code to add to reg form, allow updating later, test, adjust Keycloak config/browser flow to map description to mfastatus and trigger MFA when value is "MFA User", include mfastatus in tokens, update DV to check for MFA User and avoid unnecessary level2 request, test combos of MFA User and level2, test social logins - start investigating ORCID fail (possibly their issue) and Google lack of MFA and passive fail - find PostLogin flow option, Drupal core 10.3.6 6
4-Oct-2024 Use PostLogin flow to test for OTP after social login, appears to work, investigate total fail of sso, sequentially revert changes, revert to stage version of drupal/dataverse, dig through Keycloak differences between dev and stage, fix last name handling 6

Operations

SSO

  • Found a way to use a condition and OTP Form step to trigger MFA based on a user attribute. Worked through changes required to add an MFA optin flag in Drupal, store in LDAP, map from ldap to Keycloak attribute, setup MFA test for normal login, investigate/use PostLogin flow to add MFA test to social logins
  • Investigate ORCID sandbox failure - looks like ORCID had a problem responding to the /userinfo API call for a while
  • Discover and investigate failure of SSO for all types of login. Eventually roll back to the same Drupal and Dataverse as on stage (where SSO works), roll back to original Authentication flows (w/o MFA), check Keycloak settings - still have not found the change that is causing trouble.

Drupal

  • Drupal 10.3.6 core - deploy to dev
  • Fix issues with getting last name when not provided by social login and propagating it correctly to LDAP and Keycloak

Dataverse

  • Update 4 open PRs from develop/6.4 branch - most/all are now going through review/QA

HEAL

  • read paper, responded re: authorship

TKLabels

AnnoRep

Discussion

  • Assuming that when I find the problem with SSO (calling Dataverse for a passive login is getting a login_required error from Keycloak) that it isn't MFA related, I think I have a working approach that handles both opt-in and requiring curators to bump up to level2. I'm ~hopeful that this is the case as I've rolled-back ~everything involved in the new approach (guessing I missed some change I made in Keycloak related to trying other approaches). If that's not the case it may be time to handle MFA setup manually for now - there's a bunch of work going on to handle OIDC for the new Dataverse SPA that may end up using Payara's internal OIDC capabilities which could potentially offer an easier way to do SSO with Drupal as well (e.g. by deploying Drupal behind Payara) that could then simplify how we could do SSO/MFA for QDR.
  • I announced the ORCID grant and asked for interested early adopters. QDR is obviously an early adopter of ORCIDs already and I assume that will probably continue but if there's a reason to formalize that let me know. (For ORCID, since the emphasis is on global/global south, I want to make sure we have participants from other continents first, but I expect they'll be happy to see US/European instances in a list as well.)
  • FWIW DVUploader has a v1.2.0 release, so a new war file exists - basically the beta3 plus two security fixes (that probably don't matter in a command-line tool)

Plans

  • Get MFA to a usable state w.r.t. on authentication issue #43(MFA, etc.)
  • Finalize v6.4-qdr release
  • Background work to change/remove deprecated Drupal modules in prep for 11.0.0
  • Fix Stata-14 ingest by allowing file inspection during direct upload or adjusting the Stata ingester.
  • Fix #113 if possible
  • Matomo - investigate event-level tracking via tag manager, remove non-working google scripts
  • AnnoRep - explore round-trip, configure auto-start and log rotation
  • Ops
    • check missing globalidcreationdates and fix via /modifyRegistration or alternative
  • Dataverse
    • Make PR for guestbook adding datasetversion fix
    • Popup info accessibility - IQSS likes the recommendations from the source I linked to, so this can be implemented along those lines.
  • QDAS Previewer
    • Updates per request
    • Investigate writing aux file/previewing lower-sensitivity version and/or other write options
  • TBD: FRDR Security
Clone this wiki locally