What are redirect URIs and how are they used?
Redirect URIs are used by our OAuth authentication service as a security measure. ORCID will only send authenticating users to URIs registered by the client requesting authentication. This prevents services from impersonating each other.
Please note that only HTTPS URIs are accepted in production. You can test using HTTP URIs but you will need to register HTTPS URIs when you apply for production member API credentials.
How do we match redirect URIs?
- You MUST register subdomains as separate URIs. https://anythingelse.thirdparty.com will not work.
- Registering all redirect URIs fully, including path is encouraged, is what most third parties do and is the most secure option.
- If the client app is registered with a redirect uri that is just the host name, then any redirect uri at that host can be used. So, for example if the following redirect uri is registered: https://thirdparty.com then all of the following redirect_uris will work:
However, https://anythingelse.thirdparty.com will not work. You MUST register subdomains as separate URIs.
What happens if my redirect URI is incorrect?
Users sent to authenticate at ORCID with incorrect redirect URIs will see an error message similar to this:
Managing redirect URIs for members
If you are using the member API and require any changes to your redirect URIs then please contact our Engagement Team
Managing redirect URIs for public clients
If you are using the public API then you will need to follow the steps below to update your list of redirect URIs that are associated with your ORCID public API client ID. You can do this by following the steps below:
- Sign in to your ORCID record
- Click your name in the right hand corner
- Select developer tools
- Click the edit pencil next to the client name
- Edit an existing redirect URI or click ‘Add another redirect URI’ edit an existing one
- Once you have made your changes you need to click the save icon
Only HTTPS URIs are accepted in production. You can test using http URIs but you will need to register HTTPS URIs when you apply for production member API credentials.