ORCID authentication via the ORCID Public API #5279
Comments
|
@barryrowlingson hi. Over at http://guides.dataverse.org/en/4.9.4/installation/oauth2.html I wrote the following:
I believe this is still true. As an institution, you still have to pay for ORCID members to log into your app. It's part of their business model, unless something has changed. |
|
So why do ORCID say: And I don't see any contradiction with the terms-of-service: https://orcid.org/content/orcid-public-client-terms-service And I don't think the public api requires any institutional involvement. |
|
@barryrowlingson I don't know. It looks like you found the right part of the code to hack on if you want to try using "/read-public" or whatever Public API scope you hope might work. I don't know if you've tried compiling Dataverse yet but it isn't too bad. You can just install Maven and run |
|
If I'm remembering correctly; the code Dataverse uses for ORCID authentication also queries for a user's email address on account creation (if one is available, and the user choose to make it visible). That might be the reason for the additional scope. |
|
I dunno if this is still relevant, but I'd like to link some resources. @pdurbin maybe this can be closed then and re-opened on request? You can use the Public API for the Requesting access is however a manual process, no matter if you want to use Public API or Member API. To register a public API cient, you can find help here: https://support.orcid.org/hc/en-us/articles/360006897174. Please be aware, that OrcidOAuth2AP.java:60 uses the Member API only scope. Resulting TODOs:
|
|
@poikilotherm thanks. @barryrowlingson what do you think? Are you still interested in this issue? |
|
Thanks for the attention but we're adding users manually to our dataverse (there's not a lot of them) so we're not using ORCID. I say "manually" I mean I've written some python scripts to interface with the API to do it, so that's pretty neat. Mark me as "Not still interested". |
|
@barryrowlingson I'm glad that "add user" API endpoint is working out for you! I'm going to ahead and close this. Everyone should feel free to open fresh issues for any current needs or ideas, of course. 😄 |
ORCID have two APIs, the "public" and the "member".
The docs say this about the public API: https://orcid.org/developer-tools
I've got a ClientID and ClientSecret for the public API, but when I configure Dataverse and hit the "Create or connect your ORCID" button, I get a dataverse authentication error page. Looking at the network traffic, clicking the button causes a GET to https://orcid.org/oauth/authorize with parameters:
response_type=codescope=/read-limitedas well as the Client ID and some other things.
The response from orcid.org is a 302 Found redirect, with a location header to callback.xhtml on my site, with parameters:
error=invalid_scopeerror_description=Invalid%20scope:%20/read-limitedWhen I look into the API, I see that /read-limited is only allowed by the Member API: https://github.com/ORCID/ORCID-Source/blob/master/orcid-model/src/main/resources/record_2.1/README.md#scopes
I don't fully understand how Oauth works, but to me it seems that:
I might be able to get a Member API key - our university is a member - but there's a lot of hoop jumping involved, and the statement that the Public API should be able to authenticate users make me think I shouldn't have to. Is it just a case of changing scope=read-limited to something else roundabout here:
dataverse/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java
Line 59 in e12cc47
Or is it fundamentally not possible to do ORCID auth on a site with a Public API key?
The text was updated successfully, but these errors were encountered: