OAuth and Single-Sign On (with Pressbooks & Hypothesis)


#1

I saw with some interest that Hypothesis has recently switched to using the standard OAuth protocol: https://web.hypothes.is/blog/leaving-cookies-for-oauth-authentication/. We’re imagining a situation in which we allowed SSO to our Pressbooks instance via NetID (powered by Shibboleth) and that the same credentials could be used to create a user account for Hypothesis (installed by plugin on our network). I configured SSO using a shibboleth plugin on an old self-hosted instance, but don’t know enough to know where to begin in thinking about how to log into both services with the same credentials. Can anyone advise or offer some initial pointers/suggestions?


#2

Here’s a simplified and hopefully clearer explanation of what I’m after:

  1. We want to have the option of giving users one login to gain access to both Pressbooks and Hypothesis (when the hypothesis plugin is installed and activated for a book).
  2. We’re also looking at bringing Pressbooks into our Learning Management System via LTI, and would love to be able to use their university credentials to give them SSO access to both tools.

#3

I’ll be working on the same with the Dev and LMS Admin teams in the coming weeks. Look forward to cross-contributing/sharing our progress and/or barriers as we proceed.


#4

I just got a reply from Jon Udell and Robert Knight at Hypothesis:

We currently have two types of accounts:

  • First-party accounts. These are what you and most H users have today. They require users to sign up on our site with an email, username and password. We manage the accounts, and they work anywhere on the web.
  • Third-party accounts. These are managed by publishers who create accounts that correspond to accounts in their systems, to which users are automatically logged in. Third-party accounts can only be used on publishers’ pages that embed Hypothesis, users can’t create private groups, and don’t have the use of search/profile pages (https://web.hypothes.is/profile-pages/).

We plan to extend first-party accounts with the ability to quickly create them using existing IDs (e.g. Google, ORCID), and log into them using those IDs.

OAuth is a protocol used by the Hypothesis browser app to handle login to the Hypothesis web service. It resolves some issues that our previous method had with ad-blocking features in browsers and it also enables third parties to write custom software that can interact with a user’s Hypothesis account in the same way our official extension/embed can. The H5P prototype is an example of such custom software.

With that as background:

You asked: “We’re running an instance of Pressbooks with the Hypothesis plugin installed and networked-activated. We want to have the option of giving users one login to gain access to both Pressbooks and Hypothesis”

One approach: Implement third-party accounts in Pressbooks+Hypothesis-plugin. (You can see a reference implementation at https://github.com/hypothesis/publisher-account-test-site.) The limitations mentioned above would apply. This approach wouldn’t require new Hypothesis core development, but would require work on the Pressbooks+Hypothesis-plugin side.

Another approach: Extend Hypothesis first-party accounts with the ability to be created from (or linked to) pre-existing Pressbooks/Wordpress accounts. We haven’t explored that in detail yet. It would require new Hypothesis core development.

You wrote: “We’re also looking at bringing Pressbooks into our Learning Management System via LTI, and would love to be able to use their university credentials (powered by Shibboleth).”

We’re now refining our Canvas prototype. We expect (though it’s not yet decided) that we’ll use third-party accounts to enable single signon to Hypothesis using Canvas (and eventually other LMS) credentials. Whether/how to extend first-party accounts for use in this environment is another thing not yet explored in detail.

@hughmcguire, @ned, and @dac.chartrand, we’ll likely want to discuss some of these options with you at some point in the next several months as we explore implementation. I think the first option they describe, namely “implement[ing] third-party accounts in the Pressbooks+Hypothesis-plugin” may be a point of discussion if you decide to pursue tighter integration between Pressbooks/Hypothesis.


#5

Here’s what my thinking is at present. We’d like to explore two things:

  1. whether we can configure the hypothesis plugin for WordPress to implement a ‘third-party account’ using the reference implementation at https://github.com/hypothesis/publisher-account-test-site. If we’re successful with this, then we could allow us to create Hypothesis accounts when new Pressbooks accounts are created.
  2. Set up our Pressbooks instance to allow SSO with a Shibboleth plugin. I did this previously with a test server and it worked well for us. This means that users would use their campus credentials (we call it their ‘NetID’) to create a Pressbooks user account. If step 1 were properly configured, I believe that they would also generate a third-party hypothesis account at the same time.