OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It supplements existing OAuth authentication flows and provides information about users to clients in a well described manner.
OpenID connect is a standardised way of implementing OAuth and sharing information about authenticated users. It will now be possible to configure services to use ORCID "out of the box" alongside other standards compliant OpenID connect providers. OpenID connect also provides sharable ID tokens, which are signed objects that can prove a user authenticated using ORCID at a specific time. These tokens can be used by user interface elements to maintain user sessions.
ORCID supports the Basic OpenID Provider conformance profile, which is an extension of the OAuth authorization code flow. ORCID also supports the implicit token flow for the "/authenticate" and "openid" scopes.
This means that ORCID:
- Embeds signed id tokens within token responses for authorization codes generated with the 'openid' scope
- Supports the implicit flow when using 'token' or 'token id_token' response_types and the 'openid' scope.
- Supports the 'prompt', 'nonce' and 'max_age' parameters for authorisation requests that include the 'openid' scope.
- Supports Openid Connect discovery and userinfo endpoints
- Supports the 'amr' field for integrators using the member API for authorisation requests that include the 'openid' scope. This can be used to discover if a user authenticated using two factor authentication.
Initiating an OpenID Connect authentication works the same way as a regular OAuth authentication. All that is required is that the client request the 'openid' scope If you are using the /authenticate scope replace it with openid, as authenticate and openid have the same authorization only one or the other should be used. If you are using any other scopes, add openid to the list of scopes requested. When the openid scope is included, the Registry will return an id_token inside the token response and grant the client permission to access the user info endpoint for that user.
Note that the 'openid' scope does not start with a '/' like the other ORCID API scopes. This is because the 'openid' scope is not defined by ORCID, but instead defined by the OpenID Connect specification.
See our technical documentation for more information.