Mohsen Jafari (Mar 26 2024 at 08:22): Mohsen Jafari (Mar 26 2024 at 08:22):I have a web app which has a dashboard view running on my.domain1.com. In the dashboard view I provided an icon of dataverse (running on my.dataverse.com). I have already enabled the OpenID for dataverse and it works fine. Is there any solution that I can provide the ability so that when the user clicks on the icon in my web app then the "Login with OpenID" in dataverse gets clicked, initiating the OpenID authentication?
Oliver Bertuch (Mar 26 2024 at 08:37):What you are asking about is very similar to what the SPA is up to.
Oliver Bertuch (Mar 26 2024 at 08:38):@Guillermo Portas I don't remember - could you login via API bearer token and get a session going? Because that's what you'd need, right?
Mohsen Jafari (Mar 26 2024 at 08:42):Oliver Bertuch said:
Guillermo Portas I don't remember - could you login via API bearer token and get a session going? Because that's what you'd need, right?
Could you explain more about this approach? Currently, my users can login via OpenID when they go to the dataverse app and initiate the login process from there. However, I have a dashboard app where users can launch all their apps, including dataverse. But I don't know how to initiate the OpenID login process from within my dashboard app.
Oliver Bertuch (Mar 26 2024 at 08:44):The new SPA for Dataverse has a similar goal. They want to enable smooth switching between the old JSF UI and the new React SPA UI.
Oliver Bertuch (Mar 26 2024 at 08:45):The necessary component for that is an OIDC provider, allowing a single place to log in at
Oliver Bertuch (Mar 26 2024 at 08:46):Next, to enable logging in at the SPA and simply switchting to the JSF UI will require to create a session. So when you go from the SPA to the JSF UI, you don't login again.
Oliver Bertuch (Mar 26 2024 at 08:46):That sounds very similar to what you're trying to do
Oliver Bertuch (Mar 26 2024 at 08:46):But I don't know if this is already possible or if they are still working on that part.
Mohsen Jafari (Mar 26 2024 at 08:47):Where is the "SPA for Dataverse"?
Oliver Bertuch (Mar 26 2024 at 08:47):You can already use the API wit a bearer token from your OIDC provider
Oliver Bertuch (Mar 26 2024 at 08:47):Development happens here: https://github.com/IQSS/dataverse-frontend
Mohsen Jafari (Mar 26 2024 at 08:48):Oliver Bertuch said:
You can already use the API wit a bearer token from your OIDC provider
Could you explain this a little bit, please.
Oliver Bertuch (Mar 26 2024 at 08:50):http://preview.guides.gdcc.io/en/develop/api/auth.html#bearer-tokens
Mohsen Jafari (Mar 26 2024 at 09:00):Oliver Bertuch said:
http://preview.guides.gdcc.io/en/develop/api/auth.html#bearer-tokens
It is not possible to use API Token instead of Bearer Token?
Oliver Bertuch (Mar 26 2024 at 09:00):Of course that's possible.
Oliver Bertuch (Mar 26 2024 at 09:00):Actually Bearer Tokens are a feature preview right now
Oliver Bertuch (Mar 26 2024 at 09:01):You'd need to enable them
Oliver Bertuch (Mar 26 2024 at 09:01):But they will allow for better integration of Dataverse with other services
Oliver Bertuch (Mar 26 2024 at 09:01):The transition of Dataverse becoming a backend and separated frontend application are underway
Mohsen Jafari (Mar 26 2024 at 09:08):So you mean I should first create an api token for my OIDC provider so then the provider can call another endpoint (by using the api token) of dataverse to launch it?
Philip Durbin ๐ (Mar 26 2024 at 10:02):Maybe @Johannes D or @Vera Clemens can explain how they use bearer tokens.
Guillermo Portas (Mar 26 2024 at 11:24):@Oliver Bertuch Could you login via API bearer token and get a session going? <- AFAIK, No. If I am not wrong the login logic through an OIDC provider is only supported in JSF login and not in the API.
Guillermo Portas (Mar 26 2024 at 11:25):In fact, the goal is to enable direct OIDC integration in the future with login through PKCE in the SPA, but to do this, if I'm not mistaken, we need to first standardize OIDC in the backend.
Philip Durbin ๐ (Mar 26 2024 at 11:37):That's why I mentioned Johannes and Vera. As far as I understand, their alternative frontend to Dataverse uses OIDC and bearer tokens to maintain a session. And they don't use JSF.
Vera Clemens (Mar 26 2024 at 11:50):Yes, we enabled the preview feature by setting the environment variable DATAVERSE_FEATURE_API_BEARER_AUTH to 1. Then we authorize our API calls by sending the Authorization: Bearer ... header. Not sure if this answers the question in this thread completely. @Johannes D feel free to add if I missed something.
Oliver Bertuch (Mar 26 2024 at 12:13):This might be interesting here: https://stackoverflow.com/a/31037858
The thread is about an SSO (which is implemented at the reverse proxy level), but the idea with the filter could be reused in our case, too. We could create a filter that looks for a Bearer token somewhere in the initial request to Dataverse. That way coming from the SPA or some other application integrated with Dataverse (it must know it should send the token) you would be immediately logged in and from then on would use the session during further interaction
Oliver Bertuch (Mar 26 2024 at 12:16):I am aware that this is tricky WRT security... Moving around the access token like that might not be optimal.
Johannes D (Mar 26 2024 at 12:56):@Mohsen Jafari I assume you want something like https://github.com/IQSS/dataverse/pull/10278. This API call creates an account via a configured OIDC provider. When already present the user is just authenticated (i.e. init a classic session). For this use case SSO i.e. silent authentication (promt=none) is not needed. However, we could also implement silent logins for the "old" JSF pages...
Mohsen Jafari (Mar 27 2024 at 15:25):I became overwhelmed in this regard and cannot decide what would be the best but simplest path to go for solving my problem.
Last updated: Oct 30 2025 at 06:21 UTC