Tapestry

Wording changes

*Old wording*Explanatory text: "The link below will take you to the Open
Humans website where you will be able to create an account. Once you have
an account, you'll be returned to the PGP website, where you must approve
the export of huID to your Open Humans account."

Button: "Add authorization"

*New wording*Explanatory text: "The link below will take you to the Open
Humans website. You'll be able to create an account there. We will send
Open Humans your participant identifier (huABC123), enabling transfer of
your public data, once you finalize this data transfer on the Open Humans
website."

Button: "Share my data with Open Humans"

*New wording once the user has authorized Open Humans*The button is not
shown and the explanatory text becomes: "You've connected Open Humans to
your PGP account and we've shared your participant ID. If you would like to
remove this data and connection from Open Humans, you'll need to do so
within your account on <a href="
https://www.openhumans.org/member/me/connections/">Open Humans</a>."

Procedural changes
The "origin" parameter
A new querystring parameter, "origin", will be sent to Open Humans in the
initial request to /oauth2/authorize/. PGP will also accept the "origin"
querystring parameter on the PGP side and forward it through to Open Humans
via the request to /oauth2/authorize/. This parameter is also sent to
OAuth2 callback on the PGP side.

Immediate sending of huID
The huID will be sent immediately after the OAuth2 callback is called (
https://my.pgp-hms.org/auth/open-humans/callback).

Conditional redirect based on "origin" parameter
Depending on the value of the origin parameter the user will be redirected
either back to Open Humans (if the origin is "open-humans") or to the PGP
Open Humans participation page (if the origin is not present or is anything
but "open-humans"; we suggest using the string "external")

For example:

User starts on Open Humans
1. Open Humans sends user to
https://my.pgp-hms.org/open_humans/participate?origin=open-humans
2. User clicks button on PGP site
3. PGP sends user to https://www.openhumans.org/oauth2/authorize/?(OAuth2
parameters)&origin=open-humans (using the value of "origin" that the page
was loaded with)
4. If the user authorizes then the user is redirected back to the OAuth2
callback endpoint at
https://my.pgp-hms.org/auth/open-humans/callback?(OAuth2
parameters)&origin=open-humans
5. PGP then sends the huID to Open Humans and redirects the user back to
https://www.openhumans.org/member/me/research-data/

User starts on PGP
1. User clicks button on PGP site
2. PGP sends user to https://www.openhumans.org/oauth2/authorize/?(OAuth2
parameters)&origin=external (using "external" because the page was not
loaded with an origin specified)
3. If the user authorizes then the user is redirected back to the OAuth2
callback endpoint at
https://my.pgp-hms.org/auth/open-humans/callback?(OAuth2
parameters)&origin=external
4. PGP then sends the huID to Open Humans and sends the user to
https://my.pgp-hms.org/open_humans/participate where they see the "You've
connected Open Humans to your PGP account" text

Let me know if any of this needs clarification. :)

And here's the flowchart/mockup URL again if that's useful:
https://personalgenomes.mybalsamiq.com/projects/update-pgp/prototype/Updating%20PGP%20Harvard%20connection?key=30090b9af
29d405942c7403dec78fb37c4ff5b62

Thanks,

Beau