Making education in Norway a more interesting market for targeting digital services
Today, any developer or service provider may use the free of charge, 100% self service, developer dashboard to register OAuth 2.0 and OpenID Connect clients. The service provider may choose to enable various authentication backends, such as Feide, ID-porten, Facebook, LinkedIn, Twitter and Feide guest OpenIdP.
As soon as your client has obtained an OAuth 2.0 token, you may access a serie of APIs to obtain more information about the current user.
Federated groups enhances collaboration
One of the most interesting functionalitites is the group API, giving a simple access to an abstracted view of the authenticated users group relations. Currently, clients will get access to a students role at an institution, in addition to class, cohert, study, subjects and more.
All users may also create ad-hoc groups for collaboration, and invite colleagues or other students using incremental search using the peoplesearch feature.
The groups API, is a simple HTTP/JSON API, based upon the VOOT 2.0 standarization work, an collaboration effort between NRENs in Europe.
Third party APIs with the API Gatekeeper
An effective supporting infrastructure for securly sharing data will hopefully increase control and reduce costs associated with building new valuable digital services for student and teacher of tomorrow.
Dataporten offers third parties to regsiter new APIs into Dataporten using 100% self service. Any data provider, may control the workflow of access control by their own preference. Dataporten also allows data providers to delegate this control to the users, the institutions or a combination.
The API Gatekeeper functionality will allow data providers to expose their APIs in the public API Library, an integrated part of the dashboard for client developers. Requesting access to a third party API for a client, is as simple as a click away.
When access is granted, client developers may use the same OAuth 2.0 token as used on all the other Dataporten APIs to access also third party APIs, through the API Gatekeeper which runs on a dedicated hostname for each API. A client may perform a request such as:
and the request when forward to the API of the data provided will be expanded with more convenient acess to information about both the authenticated client and the authenticated end user.
The API Provider will also have a new delegated OAuth 2.0 Access Token which may be used to perform new requests to other Dataporten APIs, in order to in example navigate through the group relations of the current user.
More control to the end-users
Dataporten gives more information and control to the end-user. Dataporten also introduces some new innovative approaches to user experience of the combination of IdP discovery and Account Chooser.
The first time the end-user is authenticating to a Dataporten service, a Login Provider Discovery page is displayed with options of which educational institution to login with, or alternatives such as ID-porten or social networks.
The discovery page is tailored with the exact configuration of the requesting service, which controls which login options that are allowed.
Smal tweaks such as ordering the education institutions based upon distance with HTML5 Geo-coordinates, is added in order to make the user experience better.
On all subsequent login attempts, the user will be presented with an Account Chooser instead, allowed the user to choose between accounts previously used on this computer.
After successfull authentication, the permission grant display gives the user insight into the clients requested permissions.
Authentication for people across all Europe
Dataporten is prepared to be integrated into Identity cross-federations such as Kalmar and eduGAIN, which will enable end-users from universities and schools across all Europe to be able to log in to Dataporten services.
International login is not ready for the release in March, 2016, but will be added in a beta soon.
Towards a new identifier for people in education
The underlying arhcitecture and datamodel of Dataporten is prepared to be more flexible with user identifiers than what we have seen in systems so far.
We will be (re-)introducing a discussion around the need for a new identifier for people in education combined with an account mapping repository with APIs.
We’ve given the work a nickname of PIIU. Follow the work for updates.
Read more about PIIU – stay tuned for updates here.
All software used in Dataporten is open source. Some already existing software components, such as SimpleSAMLphp, are an essential part of the overall architecture.