REMS can produce and consume cryptographically signed GA4GH Visas that assert a user's access rights.
In the language of the GA4GH specifications, REMS acts as a Passport Visa Assertion Repository, Passport Visa Issuer and Embedded Token Issuer
More info about GA4GH visas:
- The GA4GH Passport specification
- The GA4GH Authentication and Authorization Infrastructure specification
- The GA4GH Genomic Data Toolkit
Visa support is experimental and has to be enabled with the :enable-permissions-api configuration parameter.
After this, the /api/permissions API can be used to query visas for a given user.
See the API docs in the development environment..
The API returns a one
ControlledAccessGrant visa
in the
GA4GH Embedded Token format
per each resource the user is entitled to. The Visas are signed with
the RSA private key specified in the :ga4gh-visa-private-key
configuration parameter. The corresponding public key should be
configured via the :ga4gh-visa-public-key parameter. As the
specification requires, the Visa headers have a "jku" parameter,
that points to the /api/jwk url, where the public key can be fetched
for verifying the Visa.
Upon login, REMS fetches an id token from the OIDC server's userinfo
endpoint and parses the
ga4gh_passport_v1 claim
contained in it. If a
ResearcherStatus Visa
is found in the passport, REMS sets the user attribute
researcher-status-by to the by field of the visa (i.e. "so" or
"system").
If an applicant has researcher-status-by with value "so" or
"system", REMS shows the handler a "Applicant researcher status"
checkbox in the applicant details.
See also Bona Fide bot in bots.md.