On Oct 6, 2020, at 2:43 AM, Companjen, B.A. <[log in to unmask]> wrote:
> I use ORCID authentication via OpenID Connect in a WordPress site. The main gotcha is that ORCID doesn't provide the user's email address in an OIDC-standard way, whereas WordPress says it requires an email address for each user. Even if a user has a public email address, you can only get it through the ORCID profile API (or you'd have to persuade the user to complete their profile manually). I haven't gone through this trouble and haven't had real issues, but other applications may be more strict.
> Another gotcha is that as a normal ORCID user, you can only have one registered application (API key and secret). This application can have multiple redirect URIs, so it might not affect you directly.
>
> --
> Ben
Ben (et al.), thank you for sharing your experience, and based on my investigations it looks as if garnering a person's email address via ORCID can be problematic. I think the solution is to make some sort of explicit request of the address, and this is done by programmatically asking the person being authenticated for trust. --Eric Morgan
|