How to verify users with third party APIs?
-
@Topper the verified groups part is relatively simple to setup and would essentially be approval to access content on joining that group. It would use standard NodeBB permission to achieve that.
The API part is a little more tricky as this will depend on a token exchange from system to another. Likely, and I could be wrong, you'll need to exchange a token from the NDA system to then tell NodeBB to add the user to the group.
It's possible, but I can't help feeling it's over complicated. To start with, perhaps manual addition would be better whilst your forum is in it's early stages?
-
@phenomlab thank you for your answer. How are the users in the verified group verified? I thought about using the passport verification because with that you would have a legal way to go after people that stole ideas because they are verified and digitaly signed the NDA. I think this feature would give users some security to post ideas. I am not sure if I understand you correctly with the manual addition. Do you mean that users could apply to get into the verified users group?
-
@Topper yes, exactly that, or once you have evidence that they've read and agreed to the NDA then you add them manually.
I'm very familiar with NDA process as it's a good chunk of what I do in my real job.
Edit - another thought here could be a simple system that does not permit access to the forum itself until you tick a box to accept the NDA. This, like the cookie message, would then store a session variable in the browser meaning it wouldn't display again unless you clear the cache. Rather like an acceptable use policy for example.
You could also hook into the registration process to make the NDA acceptance part of that. @baris @julian would be better qualified to describe this part, but it could be done with simple JS functions also.
-
@phenomlab this is very valuble advice for me. I didnt know that you would only need a ceckbox to have a legaly valid NDA signment. I will have to check that for the german law. Btw what if you make a NDA with companies from different countries that have differnt laws on this? Is there some international law? 🤨
-
@Topper for clarity, the checkbox isn't legal acceptance, as NDA requires physical signature. Depending on the nature of the content, an NDA may not be applicable unless there is information being exchanged which if leaked could harm either party or may be proprietary such as a business model or intellectual property.
If this were the case, the forum would have to be closed to the public in lieu of the above, and then how do you stop other members from viewing content where they did not sign a specific NDA ?
This is a potential legal minefield which then confers legal responsibility to the forum owner, which many not be palatable.
-
@phenomlab Okay, so a digital signment would get the job done also, since it is legaly equivalent in the EU. I planned on doing a master sheet for the NDA that would have fields that can be filled with the relevant data for each case. This would be shown before the user loads a topic in the "secure idea discussion" category. Verification would be necessary for using this category.
It still isnt optimal because users can see the topic names when they are opening the category. But i guess that is also required for filling the fields of the master sheet.I am indeed a bit worried about the whole legal thing since it has the potential to be a big as you say minefield.
-
I looking to use this process for digtal signature: https://authada.de/en/sign-sign-digitally/
-
@Topper good approach, but I think it should have some form of legal oversight to ensure you aren't having the terms of any specific NDA. One idea here would be to use a mutual NDA that protects both entities, but in my opinion, there are always cases where language needs to be changed to suit one specific party, but you can't please everyone.
-
@Topper great idea. Let them handle the legality. As a forum owner, you want to be an expert on the subject matter, not the law, but you of course have to abide by it, particularly as you are within and targeting the EU.
-
@phenomlab for the specifics of a NDA i will have to consult a lawyer anyways. The good thing about the signiture with the passport would be that everyone in the EU has one, and that it resticts the usage to the EU also (i think it is hard to sue someone in china that used an idea without permission/paying). The bad thing about using the passport would be that atleast in germany it has to be activated via a mail by the authority. But adoption is rising since it is one way to do the tax return online.
-
@Topper agreed on not being able to sue anyone in China. The same situation applies to intellectual property rights in any country outside of the EU - technically, it's unenforceable.
The only other point that immediately springs to mind is GDPR. If you're using passports as a means of identity, then this is the holy grail and whoever stores them needs to have their own conditions in place to ensure PII is not being inadvertently breached.
-
@phenomlab yes thats true with the GDPR. I havent put much thought on that but it could be an issue. The service i want to use encrypts the data and sends it to their customer (in his case my forum). Then it would be my duty to protect that data. Another way that comes to my mind would be that only the two contractors get some kind of digitaly signed document, so that the forum does not have to store this information.
-
@topper I think I am late to the party here, but my thoughts:
- The easiest approach would be to use a new user group for your verified users, I am not sure whether you were referring to
verified-users
group, but that is a special system group for users who have confirmed their email addresses. - If your NDA signing site has the ability to send web hooks, you could leverage that with a custom NodeBB plugin to consume the request and add the user to the appropriate user group
- The other advantage of using user groups, is that you would be able to limit category access to just that user group. So you wouldn't have topic names exposed either, unless you wanted it
- The easiest approach would be to use a new user group for your verified users, I am not sure whether you were referring to
-
@Topper in this case, you become both a custodian and data processor, so you'll need a GDPR statement that covers this fact. It's a good idea to keep the passport information separated from the forum for obvious reasons.
You'll also need a mechanism for potential users of the site to be able to request their data, for which you'd have 30 days to comply with that request.
Very tricky model indeed, and definitely needs serious thought.
-
@phenomlab i will have to look into the whole GDPR thing.
I would rather have a one sided NDA on the side of the idea user if thats possible, the tought behind that would be that the ideagiver of a good idea then has multiple people trying to make that idea a reality. Imagine there was a very good idea and the first person that stumbled on the idea would do a twosided NDA but is not capeable of realising that idea. This idea would be lost, since the ideagiver can not present others the idea. For me it would be optimal, if the ideagiver has the possibility to present the idea to multiple people (thats why i use a forum software).
Im not sure if there is a way to not store the passport data
What if the passport data can be written into the NDA and after that deleted on the forum server? The ideagiver would get the NDA document. I dont know if there needs to be a signment from both the ideagiver and the idea user. If thats the case I need to store the data. An argument for storing the data would also be usability -
@julian thank you for your answer. As phenomlab said the NDA would need a signment. If only the idea user has to sign the NDA, this would be an option.
So to speak email verified users can post into the „secure idea discussion“ category and only NDA signer and therefore passport verified users can look into the topics in this category
Is it possible to hide the content (from other users) in this category from the idea poster but allow them to post? I dont think there is this option in the admin panel.
-
@Topper said in How to verify users with third party APIs?:
Im not sure if there is a way to not store the passport data
Sorry - let me clarify here. I don't mean you shouldn't store the passport data - just not on the forum itself as that would expose it should the forum become breached. One idea would be to have someone else who specialises in this type of data handling store it on your behalf (who has the relevant security and data protection controls in place, plus legal indemnity in the event of any breach). The real issue here is that the custodian of that data becomes duty bound to protect it, and your agreement is between them, and the forum users. To this end, it would mean another spoke in the wheel and something else to worry about in terms of governance - which you really cannot avoid as you have to be able to provide satisfactory evidence that the data and the controls surrounding it are under regular (ideally quarterly) review.
Another way would be to have a secure vault - something like OwnCloud or NextCloud (there are also SSO plugins available for NodeBB integration, or you should share the same user token between the two systems - although this would mean that NextCloud (for example) would have to become the master system, and not NodeBB - essentially, the session would persist, and could then be used to login to NodeBB). The secure storage container itself would need to be encrypted (I've done this many times and we also use it in my workplace).
You'll also need to be able to demonstrate controls are in place to protect data at rest, in transit, etc.
Whilst I really like the concept of what you are looking to do, it really does need legal oversight before bringing to fruition. The nature of passport information storage alone will open you up to GDPR and the ICO (or German equivalent - probably the Data Protection Authority). That I can help you with, but not the legal side sadly.