implement authentication and authorization of access

[aarppe]

In the corpus specifications, the attribute limitedAccess determines whether access authorization, and thus user authentication is needed.

Of known Korp instances, the Swedish Language Bank (Språkbanken) and CSC - IT Centre for Science (Finland) have implemented such AA procedures. The CSC version (https://korp.csc.fi/) appears more robust than the Språkbanken (https://spraakbanken.gu.se/korp/), as CSC makes use of identity federations, cf.

https://korp.csc.fi/shibboleth-ds/index.html?https%3A%2F%2Fkorp.csc.fi%2Flab%2F%23%3Flang%3Den%26shib_logged_in

Interestingly, one can find UAlberta and UCalgary, and for the latter get as far as a menu requesting a userid and password.

https://cas.ucalgary.ca/cas//login?service=https%3A%2F%2Fshibboleth.ucalgary.ca%2Fidp%2FAuthn%2FExtCas%3Fconversation%3De1s1&entityId=https%3A%2F%2Fsp.korp.csc.fi%2F

What we may have to decide who do we consider as IdP's: Google, Facebook, or also the academic ones. For non-academic folks, one might assume they might have a FB account, as much as I wouldn't be entirely happy to make use of them.

[dwhieb]

One service to consider:

Auth0 is an identity provider that's becoming widely adopted in a lot of open source projects. It aggregates identity providers (Facebook, Twitter, Google, etc.) into a single service. You can specify which identity providers you'd like to allow/disallow. So your application redirects to Auth0 for login, and the Auth0 service figures out the rest, allowing users to login with their provider of choice, matching users by email if they choose to login with different identity providers on different occasions.