Enabling users to register or sign into your system using their ORCID credentials can save them time and effort; they don’t have to keep track of multiple usernames and passwords, and you immediately obtain an authenticated ORCID iD. At the same time, you can request permission to read or update their ORCID record.
LINKING ORCID AND LOCAL ACCOUNTS
When you have collected the authenticated ORCID iD, you can link the user’s ORCID account with their local account in your system.
You collect authenticated IDs when you ask a researcher to sign in with their ORCID iD. This process uses a technology called “OAuth” or “SSO” and should be built into your workflow.
See the API Tutorial ‘Get an Authenticated ORCID iD‘ for more details.
Once the user returns to your site, check whether the returned iD already exists in your system. If so, then proceed to Recognize an ORCID sign-in. If not, prompt the user to do one of the following:
Tip: If you have read the user’s email address on their ORCID record, search for that email address and prompt the user to sign in if it is already in your system.
- Link to an existing local account
- Register a new local account
Linking to an existing local account: Request that the user sign into your system using their account credentials for your system. Upon successful sign-in, associate the two accounts by storing the ORCID iD and access token together with the linked local account.
Registering a new local account: Provide the user with your usual registration form and display the ORCID iD on the form to indicate that it has been successfully authenticated. You can save the user time by filling in data that you have read from their ORCID record.
Take it a step further:
- You can also prompt the user to connect their ORCID iD from their profile or accounts setting page in your system! When the user later signs into your system using their ORCID iD, the accounts will already be linked.
Provide an unlink option: We strongly recommend that you provide an option for users to unlink their ORCID iDs from their local accounts in your system and remove all data associated with their ORCID iD.
Use your client ID, secret, and either the active token or its associated refresh token to revoke the token pair. You can revoke token pairs created in both the two-legged and three-legged OAuth processes. If you have multiple sets of tokens, e.g. for different scopes, only the specified access token and corresponding refresh token will be revoked.
We suggest revoking tokens in the following conditions:
- To revoke tokens issued to a third-party supplier after the termination of a relationship;
- To revoke tokens when users disconnect their ORCID iD from your system;
- To allow users to revoke tokens from within your system.
We recommend using the refresh tokens to limit the scope or duration of an existing access token or update a token if it has been compromised.
The revoke API call
https://sandbox.orcid.org/oauth/revoke (or https://orcid.org/oauth/revoke)
METHOD: POST
HEADER: accept:application/json
CONTENT-TYPE: application/x-www-form-urlencoded
DATA:
client_id=[Your client ID]
client_secret=[Your client secret]
token=[access token or refresh token for token pair to be revoked]
RECOGNIZE AN ORCID SIGN-IN
Once accounts are linked, your system will need to recognize whether a user with a linked account has signed in using ORCID Registry credentials.
To recognize whether an ORCID sign-in is a valid authentication:
- Obtain the ORCID iD using the authentication flow described above. If the iD matches one in your system, consider the associated account to be signed in.
- Check whether the user is signed into ORCID, where appropriate. Reinitiate a sign in request if required by your system’s security protocol.