<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:Consolas;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1963150496;
mso-list-type:hybrid;
mso-list-template-ids:-595927444 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Martin,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">All interesting. A couple of points…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I wouldn’t want to implement this on the Lancaster server, since
<i>most</i> of our users are external to Lancaster University, and lots aren’t at
<i>any</i> university. (Plus cqpweb.lancs.ac.uk usually runs the bleeding edge code, so not always sensible to trust it to play nicely with external services.) So I’m viewing this possible feature as something that would be added for others not myself.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">The headache is then that it is not a matter of dealing with a single institutional system, but rather with whatever range of systems are relevant to whoever might want to implement it on their CQPweb
server, while maintaining the possibility of not using any external system at all. So really, the task would be<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo1"><span style="mso-fareast-language:EN-US">Learn all about the subject area. (I really don’t know anything. E.g., I have no idea about Shibboleth at all, beyond having vaguely heard
of it.)<o:p></o:p></span></li></ol>
<p class="MsoListParagraph"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="2" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo1"><span style="mso-fareast-language:EN-US">Set up a separate dev / test server<o:p></o:p></span></li></ol>
<p class="MsoListParagraph"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="3" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo1"><span style="mso-fareast-language:EN-US">Amend the code so that it can either use the internal login system, or an institutional system. (Or both at once??)
<o:p></o:p></span></li></ol>
<p class="MsoListParagraph"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="4" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo1"><span style="mso-fareast-language:EN-US">One thing I’m particularly worried about here is the possible need for a major rewrite of the exiting user account system to allow it to co-exist
with a federated system. That would be <i>no fun at all</i>, to put it mildly. (BTW, BNCweb uses Apache authentication, but CQPweb
<i>doesn’t</i> – user accounts, login, etc. are all managed internally, and the user account system is interlinked with
<i>everything</i> in the codebase pretty much)<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="5" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo1"><span style="mso-fareast-language:EN-US">Amendments would have to include, for federated login, auto account creation on the system, since account specific info like query history,
defined subcorpora, uploaded corpora etc. can’t be ephemeral<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="6" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo1"><span style="mso-fareast-language:EN-US">Make sure this is done in an HTTP-daemon neutral way (since Apache cannot assumed)… and/or document multiple times over for different daemons.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="7" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo1"><span style="mso-fareast-language:EN-US">Write the appropriate configuration code (config variables? done in the admin UI?) & explain in the manual<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="8" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo1"><span style="mso-fareast-language:EN-US">Work out the procedure (or the many procedures???) for registering as a service, determine what info needs to be inserted at the CQPweb end
for that to work (and how), & explain all <i>that</i> in the manual<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">That list simply fills me with dread. It seems like
<i>a lot</i> of work for very little benefit (is signing up for an account on a CQPweb server
<i>really</i> so onerous for users?)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">But if you are able to round up suitable expert advice and it turns out not to be as terrifying as it seems on the face of it, I would be open to it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">best<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Andrew.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cwb-bounces@sslmit.unibo.it <cwb-bounces@sslmit.unibo.it>
<b>On Behalf Of </b>Martin Wynne<br>
<b>Sent:</b> Thursday, July 18, 2024 9:50 AM<br>
<b>To:</b> cwb@sslmit.unibo.it<br>
<b>Subject:</b> [External] Re: [CWB] Support OIDC authentication, please<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Dear Andrew et al,<br>
<br>
We've been thinking about this in Oxford, and it would be extremely useful to have OIDC, or some other way of allowing users to log in with their institutional credentials, rather than issuing and managing user accounts ourselves.
<br>
<br>
I did get Shibboleth working in the past with BNCweb (for the benefit of other listeners, BNCweb is a modified version of CQPweb) in the past, and, once we had the server set up and registered as a Shibboleth service provider, with the relevant keys and certificates
in place it was only a matter of changing the apache configuration to require Shibboleth authentication to access the BNCweb application. It appears that OIDC is a preferred way to do this nowadays, rather than native Shibboleth.<br>
<br>
I discussed this briefly with technical folks in the CLARIN research infrastructure, who recommended OIDC as a solution, but I also don't know enough about how to implement it without looking into it further. I do know that as well as the technical setup, you'd
need to register with the UK Federation as a trusted Shibboleth service provider, which would probably involve going through your institutional contact in IT Services in your university, but shouldn't be too onerous.<br>
<br>
There are a number of online services which use shibboleth-based login (you can see a list at
<a href="https://www.clarin.eu/content/easy-access-protected-resources">https://www.clarin.eu/content/easy-access-protected-resources</a>) but as far as I can see, none of them are instances of CQPweb, and I can't tell if they use OICD.<br>
<br>
I'd be interested in taking this further and getting more advice on how to implement OIDC and how to make it work with CQPweb, and could ask CLARIN experts in this domain to help.<br>
<br>
Best wishes,<br>
Martin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 27/06/2024 04:52, Hardie, Andrew wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Speaking only for myself, I don’t understand enough about OIDC authentication to say whether or not this is possible – I certainly couldn’t implement it without a lot of work learning
about it.</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">What do others think – is this a necessary feature, or not?</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">best</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Andrew.</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a href="mailto:cwb-bounces@sslmit.unibo.it">cwb-bounces@sslmit.unibo.it</a>
<a href="mailto:cwb-bounces@sslmit.unibo.it"><cwb-bounces@sslmit.unibo.it></a> <b>
On Behalf Of </b>???<br>
<b>Sent:</b> Friday, June 14, 2024 9:46 PM<br>
<b>To:</b> <a href="mailto:cwb@sslmit.unibo.it">cwb@sslmit.unibo.it</a><br>
<b>Subject:</b> [CWB] Support OIDC authentication, please</span><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">Thus, we can integrate CQPweb with other systems.</span><o:p></o:p></p>
<p style="margin-bottom:12.0pt"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black"><br>
<br>
<br>
</span><o:p></o:p></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">---------</span><o:p></o:p></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">Vincent</span><o:p></o:p></p>
<p> <o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>CWB mailing list<o:p></o:p></pre>
<pre><a href="mailto:CWB@sslmit.unibo.it">CWB@sslmit.unibo.it</a><o:p></o:p></pre>
<pre><a href="http://liste.sslmit.unibo.it/mailman/listinfo/cwb">http://liste.sslmit.unibo.it/mailman/listinfo/cwb</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Senior Researcher in Corpus Linguistics<o:p></o:p></pre>
<pre>Faculty of Linguistics, Philology and Phonetics, University of Oxford<o:p></o:p></pre>
<pre>National Co-ordinator, CLARIN-UK<o:p></o:p></pre>
<pre><a href="mailto:martin.wynne@ling-phil.ox.ac.uk">martin.wynne@ling-phil.ox.ac.uk</a><o:p></o:p></pre>
<pre><a href="https://orcid.org/0000-0002-4155-0530">https://orcid.org/0000-0002-4155-0530</a><o:p></o:p></pre>
</div>
</div>
</body>
</html>