Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ORCID authentication via the ORCID Public API #5279

Closed
barryrowlingson opened this issue Nov 6, 2018 · 8 comments
Closed

ORCID authentication via the ORCID Public API #5279

barryrowlingson opened this issue Nov 6, 2018 · 8 comments

Comments

@barryrowlingson
Copy link

ORCID have two APIs, the "public" and the "member".

The docs say this about the public API: https://orcid.org/developer-tools

What you can do with the public API
 The public API enables your system or application to:
   Allow users to sign into your system/application with their ORCID username and password

I've got a ClientID and ClientSecret for the public API, but when I configure Dataverse and hit the "Create or connect your ORCID" button, I get a dataverse authentication error page. Looking at the network traffic, clicking the button causes a GET to https://orcid.org/oauth/authorize with parameters:

  • response_type=code
  • scope=/read-limited

as well as the Client ID and some other things.

The response from orcid.org is a 302 Found redirect, with a location header to callback.xhtml on my site, with parameters:

  • error=invalid_scope
  • error_description=Invalid%20scope:%20/read-limited

When I look into the API, I see that /read-limited is only allowed by the Member API: https://github.com/ORCID/ORCID-Source/blob/master/orcid-model/src/main/resources/record_2.1/README.md#scopes

I don't fully understand how Oauth works, but to me it seems that:

  • The Public API should be usable to authenticate users to a system
  • Dataverse is sending scope=read-limited to Orcid
  • scope=read-limited is only allowed by the Member API
  • Dataverse reflects the error.

I might be able to get a Member API key - our university is a member - but there's a lot of hoop jumping involved, and the statement that the Public API should be able to authenticate users make me think I shouldn't have to. Is it just a case of changing scope=read-limited to something else roundabout here:

public OrcidOAuth2AP(String clientId, String clientSecret, String userEndpoint) {

Or is it fundamentally not possible to do ORCID auth on a site with a Public API key?

@pdurbin
Copy link
Member

pdurbin commented Nov 6, 2018

@barryrowlingson hi. Over at http://guides.dataverse.org/en/4.9.4/installation/oauth2.html I wrote the following:

"In the case of GitHub and Google, this is as simple as clicking a few buttons and there is no cost associated with using their authentication service. ORCID, on the other hand, does not have an automated system for requesting these credentials, and it is not free to use the ORCID authentication service."

I believe this is still true. As an institution, you still have to pay for ORCID members to log into your app. It's part of their business model, unless something has changed.

@barryrowlingson
Copy link
Author

So why do ORCID say:

What you can do with the public API
 The public API enables your system or application to:
   Allow users to sign into your system/application with their ORCID username and password

And I don't see any contradiction with the terms-of-service:

https://orcid.org/content/orcid-public-client-terms-service

And I don't think the public api requires any institutional involvement.

@pdurbin
Copy link
Member

pdurbin commented Nov 6, 2018

@barryrowlingson I don't know. It looks like you found the right part of the code to hack on if you want to try using "/read-public" or whatever Public API scope you hope might work. I don't know if you've tried compiling Dataverse yet but it isn't too bad. You can just install Maven and run mvn package.

@pameyer
Copy link
Contributor

pameyer commented Nov 6, 2018

If I'm remembering correctly; the code Dataverse uses for ORCID authentication also queries for a user's email address on account creation (if one is available, and the user choose to make it visible). That might be the reason for the additional scope.

@poikilotherm
Copy link
Contributor

poikilotherm commented Jul 4, 2019

I dunno if this is still relevant, but I'd like to link some resources. @pdurbin maybe this can be closed then and re-opened on request?

You can use the Public API for the /authentication scope:
https://members.orcid.org/api/oauth/orcid-scopes

Requesting access is however a manual process, no matter if you want to use Public API or Member API. To register a public API cient, you can find help here: https://support.orcid.org/hc/en-us/articles/360006897174.

Please be aware, that OrcidOAuth2AP.java:60 uses the Member API only scope.

Resulting TODOs:

  1. Make scope configurable
  2. Make OrcidOAuth2AP.java.getUserRecord() public-API aware

@pdurbin
Copy link
Member

pdurbin commented Jul 8, 2019

@poikilotherm thanks.

@barryrowlingson what do you think? Are you still interested in this issue?

@barryrowlingson
Copy link
Author

Thanks for the attention but we're adding users manually to our dataverse (there's not a lot of them) so we're not using ORCID. I say "manually" I mean I've written some python scripts to interface with the API to do it, so that's pretty neat. Mark me as "Not still interested".

@pdurbin
Copy link
Member

pdurbin commented Jul 8, 2019

@barryrowlingson I'm glad that "add user" API endpoint is working out for you! I'm going to ahead and close this.

Everyone should feel free to open fresh issues for any current needs or ideas, of course. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants