You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe an authorization pattern in which a Passport Clearinghouse on a data analysis platform or research environment issues or obtains a new token specific to the data sets referenced by the workflow, task, or interactive analysis, i.e. a task-specific token.
To obtain a task-specific token, these steps are necessary:
Data repository: Store Researcher Passport Visas and and synchronize any permissions or authorization metadata e.g. principal groups
Analysis platform: Call authorization server. Specify researcher identity or researcher passport and the data sets needed by the task.
Authorization server: Return token(s) to reference the authorized and referenced data
sequenceDiagram
autonumber
actor RA as Researcher
participant RE as Research Environment
participant PB as Passport Broker<br>Identity Provider
participant TE as Task Execution
box Data Repository
participant AS as Authorization API
participant DS as Access API<br>e.g. FHIR
participant DR as Data Repository
end
RA->>RE: Log In
RE->>PB: Log in
PB->>RE: Authenticated
RE->>PB: Request Passport
PB->>RE: Passport (Identity and Visas)
RE->>RA: Authenticated
RA--)+RE: Start Task T
RE->>TE: What Data Does T Use?
TE->>RE: T Data Refs
RE->>AS: Passport (Identity and Visas), T Data Refs
AS->>DR: Set permissions
DR->>AS: Success
AS--)AS: Set expiration timer
AS->>RE: Task-Specific Token
RE--)+TE: Start Task T
TE--)RE: Task Execution Started
RE--)-RA: Task Execution Started
loop
TE->>DS: Request Data
DS->>DR: Request Data
DR->>DS: Data
DS->>TE: Data
end
Loading
The research environment sets data permissions to allow the researcher to access the needed authorized data sets. These permissions are stored with the data repository and a token is returned. The token is small and refers to the cached set of permissions. The token can then be sent over an HTTP header and used to authorize requests to obtain the data.
Describe an authorization pattern in which a Passport Clearinghouse on a data analysis platform or research environment issues or obtains a new token specific to the data sets referenced by the workflow, task, or interactive analysis, i.e. a task-specific token.
To obtain a task-specific token, these steps are necessary:
sequenceDiagram autonumber actor RA as Researcher participant RE as Research Environment participant PB as Passport Broker<br>Identity Provider participant TE as Task Execution box Data Repository participant AS as Authorization API participant DS as Access API<br>e.g. FHIR participant DR as Data Repository end RA->>RE: Log In RE->>PB: Log in PB->>RE: Authenticated RE->>PB: Request Passport PB->>RE: Passport (Identity and Visas) RE->>RA: Authenticated RA--)+RE: Start Task T RE->>TE: What Data Does T Use? TE->>RE: T Data Refs RE->>AS: Passport (Identity and Visas), T Data Refs AS->>DR: Set permissions DR->>AS: Success AS--)AS: Set expiration timer AS->>RE: Task-Specific Token RE--)+TE: Start Task T TE--)RE: Task Execution Started RE--)-RA: Task Execution Started loop TE->>DS: Request Data DS->>DR: Request Data DR->>DS: Data DS->>TE: Data endThe research environment sets data permissions to allow the researcher to access the needed authorized data sets. These permissions are stored with the data repository and a token is returned. The token is small and refers to the cached set of permissions. The token can then be sent over an HTTP header and used to authorize requests to obtain the data.