Adapt Access Tokens to temporary OIDs (!113) · Merge requests · data-custodian / custodian

Martin Fontanet requested to merge dev-20210330MF into develop Apr 19, 2021

This PR introduces a new way to handle temporary OIDs and provide access tokens to users.

The original problem: Access tokens are used to prove users' identity when sending data to the custodian. Temporary OIDs are used to preserve users' anonymity when sending data to the custodian and/or signing a consent. As users were storing their temporary OIDs in their attributes, their anonymity would be broken when using an access token (as the access token contains ALL their different OIDs).

How the problem is solved: When a user wants an access token to prove that he/she owns a temporary OID, we generate an access token that contains only the temporary OID, with no direct link to the user's original OID (i.e., the access token only proves that the user owns the temporary OID, without giving any other information). That way, users can keep their anonymity when sending data/signing consent and the IMS can still know which temporary OID belongs to which user.

Edited Apr 20, 2021 by Martin Fontanet

Adapt Access Tokens to temporary OIDs

Merge request reports