Preserving authentication and multiple access tokens

We’re making a couple changes to the OAuth workflow which will improve the workflow for site using ORCID sign in for authentication.

  1. If an active access token already exists with the same scopes and the user is logged into their ORCID record, they will not be prompted to grant authorization again. Instead they will be taken directly to the redirect URI.

  2. If an authorization code is exchanged for a new access token when an access token with the same scopes already exists, a new access token will be issued (currently the existing access token is returned). Both the new and old access tokens will continue to work until they expire.

In practice these changes will work like this.

A researcher clicks the ‘link to ORCID’ button on your site for the first time, they are taken the ORCID website where they sign in and grant you access to their record. They are then returned to the redirect URI and you exchange the authorization code for an access token. (This is the same workflow as before).

The researcher then clicks the 'link to ORCID' button again. Instead of seeing the authorize page they are immediately taken to the redirect URI. A new authorization code is issued, if you exchange this authorization code you will be sent a new access token.