ORCID, OpenID Connect, and Implicit Authentication

Tom Demeranville's picture

ORCID is a researcher-centric system that connects people with their activities.  These connections are made as researchers interact with a variety of information systems, such as manuscript submission systems, institutional repositories or a grant management systems. This seamless updating of ORCID records is possible because the ORCID members who operate these systems have integrated with the ORCID Registry.  

In order to update researcher records, ORCID integrations must provide ORCID with two things - the researcher’s authenticated ORCID iD and their permission to make updates. Authenticating iDs is an essential step in any system that is using ORCID, as it's the only way to ensure that a researcher is reliably connected to their own iD. Until recently, the only way to authenticate a researcher’s ORCID ID and gather the required permissions was via a specific OAuth process.

We’re happy to announce that we have now added support for OpenID Connect (and the implicit OAuth flow!), which opens the door to some exciting integration options for all types of integrations.

What are OAuth and OpenID connect?

In lay terms OAuth and OpenID Connect are standard ways of exchanging identity information on the web.  Whenever you see a “Sign in with X” button on a website, chances are that it’s using OAuth behind the scenes.  OpenID is built on top of OAuth and offers a couple of useful additional features, including sharable ID tokens -- digitally signed objects that can prove a user authenticated to a specific service using ORCID at a specific time.

In technical terms, OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol.  It supplements existing OAuth authentication flows and provides information about users to clients in a well-described manner, including a dedicated user information endpoint and digitally signed JSON Web Tokens (JWT) “id tokens”.

What is implicit authentication?

Implicit authentication is a lighter-weight variation of OAuth that has a lower barrier to entry - it makes it quicker and easier for organisations to integrate ORCID into their services.

For the more technical among us, this means OAuth can be implemented entirely in the browser using javascript alone, without requiring access to server side components.

Why has ORCID adopted these technologies?

OpenID connect and implicit OAuth are standardised ways of implementing OAuth and sharing information about authenticated users.  Here at ORCID we love standards because they are well-tested and make life easier for everyone. The major benefit is that it is now possible to configure services to use ORCID “out of the box”.  For example, you can now ask people to log into your Wordpress blog by doing nothing more than configuring a generic OAuth plugin!  

For those of you building more complex services, these can now be configured to use a standard OpenID connect library, which vastly reduces development effort.  Using implicit OAuth and OpenID ID tokens, the increasingly common “one page javascript application” can integrate ORCID authentication with nothing more than a handful of javascript -- just 36 lines of code for our example spring security integration and 45 lines for our  example javascript implementation.

Integration

These new features have been beta tested by ORCID members, who provided very positive feedback -- the integration process was described by Dr Jason Gush of the ORCID New Zealand Consortium/Royal Society Te Apārangi as “painless”!

For a detailed technical explanation of how to integrate ORCID authentication using these new features please see our OpenID Connect integration documentation.  The OpenID Connect core specification may also be useful.  Please let us know if you have any specific questions, and don’t forget to share your own use cases with us!