federated authentication + user profiles + mailing

[satra]

we have to currently use several layers of determination to approve users. to change and simplify the process for 90% of users, here is a proposal:

MVP

• use in common federation (https://incommon.org/federation/) to allow anyone at a university or part of the federation to sign up for dandi
• do not activate the account, unless they also:
  • create a github account and link it to their profile
  • create an ORCID link
• for previous users, we can request the same for the next time they need to log in (we can force that by removing API tokens).
• create a user profile page to establish account links and connections

MVP + 1

• setup a mechanism to email registered users

MVP + 2 (bring in ReBAC/RBAC)

• this should be tied in with groups that a person can be part of
• detect if user emails bounce to determine inactive users
• add last activity to user profile page

[yarikoptic]

incommon has MIT, Dartmouth and other institutions "through" eduroam. It lacks kitware -- @waxlamp might be worth pinging someone at kitware to make them aware and check if possible to "integrate" with it - might be useful in the long run.

edit: only "Allen Institute for Artificial Intelligence" ant not "Allen Institute neuroscience" is there -- so worth pinging them too I guess happen we go that route. @satra who would be the best contact for that?

[yarikoptic]

I would like to note again project which @satra mentioned originally in

• user identity and federation across dandi services dandiarchive-legacy#256

let's consider https://www.keycloak.org/

It is also used by nebari (backref: dandi/dandi-hub#186) so may be making such a choice could help to centralize auth* to this single platform.