Enabling users to register or sign into your system using their ORCID credentials can save them time and effort; they don’t have to keep track of multiple usernames and passwords, and you immediately obtain an authenticated ORCID iD. At the same time, you can request permission to read or update their ORCID record.ORCID should be made available as the easiest means of sign-in and registration for users.
Sign in Best Practices
- Allow users to sign in to your system with their ORCID credentials.
- Request the scopes that are relevant to the action that you would like to complete in relation to the user’s ORCID record.
- Once accounts are linked your system must recognise whether a user with a linked account has signed in using ORCID Registry credentials.
- Do not request users to change their visibility settings for your integration. If you are unable to retrieve the email address from the ORCID record then we would recommend:
- Request the user to enter the email address manually into your system
- Validate the manually entered email via an email verification workflow before finalizing the account linking between your system and ORCID
Linking ORCID and Local Accounts
When you have collected the authenticated ORCID iD at sign in, you should link the user’s ORCID account with their local account in your system.
You will need to check whether the returned authenticated iD already exists in your system. If so, then proceed to Recognize an ORCID sign-in. If not, prompt the user to do one of the following:
- Link to an existing local account. Request that the user sign into your system using their account credentials for your system. Upon successful sign-in, associate the two accounts by storing the ORCID iD and access token together with the linked local account.
- Register a new local account. Provide the user with your usual registration form and display the ORCID iD on the form to indicate that it has been successfully authenticated. You can save the user time by filling in data that you have read from their ORCID record.
Recognise an ORCID Sign In
Once accounts are linked, your system will need to recognize whether a user with a linked account has signed in using ORCID Registry credentials.
To recognize whether an ORCID sign-in is a valid authentication:
- Obtain the ORCID iD using the authentication flow described above. If the iD matches one in your system, consider the associated account to be signed in.
- Check whether the user is signed into ORCID, where appropriate. Reinitiate a sign in request if required by your system’s security protocol.