[DAS] Personal genomics/Deploying a DAS server for Dummies/6 Easy steps

[Dan Bolser]

On 12 January 2012 17:07, Andy Jenkinson <andy.jenkinson at ebi.ac.uk> wrote:
> Great stuff Jon!
>
> On 12 Jan 2012, at 15:31, Jonathan Warren wrote:
>>
>> On 12 Jan 2012, at 13:43, Dan Bolser wrote:
>>
>>> I want to be able to specifically grant access to my data by a known third party.
>>
>> We had large debates about how to implement security in DAS at the last couple of DAS workshops. In the end it was decided we would go with BASIC authentication and https requests and responses and people would have to trust DAS clients with their username and passwords.
>
> I believe those providers use (or are migrating to) a common authorisation protocol based on OAuth. This type of authorisation actually only allows you to control which -applications- have access to your data, not which individuals. That means each individual client needs to be configured for this purpose. Really what is needed is an end-to-end solution across both clients and servers, with a common authentication/identification mechanism and across multiple providers. Particularly the authentication part is difficult because, for technical reasons, we can't use OpenID. It'd be great and there are potential solutions, but the "activation energy" and coordination required is quite high.

AFAIK, using something like the above, you authenticate with the
client using OpenID, and the client is authenticated to access your
data via OAuth. You can then build your client to allow various levels
of sharing with other users in the system, as with FB.

Would building OAuth into Proserver, then identifying with OpenID be a
way round the 'technical reasons' you described above? Or is it just
running in circles?


Cheers,
Dan.