Authentication using ORCID

December 1, 2019

ORCID provides a persistent digital identifier for individuals. Its support for automated linkages across professional activities is particularly useful for researchers. More.

Enabling access control with ORCID helps promote consistent researcher identity and reduces the challenges of local identity management.

This note describes the process for controlling access to resources being served with the Apache web server and the CodiMD collaborative editor.

Herein:

{CLIENT_ID} = Client application ID

{CLIENT_SECRET} = Client application secret

Apache configuration described here uses the mod_auth_openidc module and assumes installation on Ubuntu 18.04 or later.

To install:

sudo apt install libapache2-mod-auth-openidc
sudo a2enmod auth_openidc

Apache configuration for ORCID with mod_auth_openidc. Placed for example in a VirtualHost configuration section:

OIDCProviderMetadataURL "https://orcid.org/.well-known/openid-configuration"
OIDCClientID "{CLIENT_ID}"
OIDCClientSecret "{CLIENT_SECRET}"
OIDCRedirectURI "https://beehivebeach.com/orcid_only/_oar/"
OIDCScope "openid email"
OIDCCryptoPassphrase "some auth passphrase string"

Folder /orcid_only/ access allowed to anyone authenticated with ORCID:

<Location /orcid_only>
  AuthType openid-connect
  Require valid-user
</Location>

For example: https://beehivebeach.com/orcid_only/

Folder /o/{ORCID} access allowed for specific ORCID:

<LocationMatch "^/o/(?<orcid>[^/]+)">
        AuthType openid-connect
        Require user "%{env:MATCH_ORCID}@orcid.org"
        Options Indexes MultiViews FollowSymLinks
</LocationMatch>

Log in to a CodiMD instance using ORCID. The email address is not readily available with the ORCID public API:

"oauth2": {
  "clientID": "{CLIENT_ID}",
  "clientSecret": "{CLIENT_SECRET}",
  "authorizationURL": "https://orcid.org/oauth/authorize?response_type=code&scope=/authenticate",
  "tokenURL": "https://orcid.org/oauth/token",
  "userProfileURL": "https://orcid.org/oauth/userinfo",
  "userProfileUsernameAttr": "sub",
  "userProfileDisplayNameAttr": "name",
  "userProfileEmailAttr": ""
}