Workflow: Sign in using ORCID credentials

Member flow for ORCID single sign on
Enabling users to log into your system using their ORCID credentials can be desirable - it saves them time and means they don't have to remember multiple usernames and passwords. At the same time, you can also request permission to read from or write to the user's ORCID Record if you are able to do so. However, you should carefully consider whether offering ORCID as a sign-in option is appropriate for your system before proceeding.
 
ORCID sign in is similar to the social sign in with Google or Facebook offered on ORCID and other websites. Sign in is controlled only with a username and password; multi-factor authentication is not supported at this time. ORCID currently provides no notification services in the event of credential misuse at present. ORCID sign in may not be appropriate if you require stronger authentication or specific information such as an email address, affiliation, or role.
 
Some of early adopters of ORCID sign in include:
ORCID sign-in consists of three steps:
  • Incorporating an ORCID sign in button/link as an option for signing into your site
  • Linking your account with the ORCID iD/sign in
  • Recognizing an ORCID sign in as a valid authentication for your system
The purpose of this document is to provide high-level guidance for these steps.
 

Member flow: Sign in using ORCID credentials

  1. Incorporating an ORCID sign in button/link
  2. Linking your account
  3. Recognizing an ORCID sign in

 


1. Incorporating an ORCID sign in button/link

The first thing that users should see is a screen inviting them to sign into your system. Since you will be enabling users to sign into your system using alternate credentials, possibly in addition to those already used by your system, the sign in options could be displayed as illustrated below.


2. Linking your account

There are two possible scenarios where the user’s accounts on your system and ORCID have not yet been linked:

  1. The user first signs into your system, or
  2. The user first signs into the ORCID registry.

 

  1. The user first signs into your system
    1. The user enters their sign in credentials for your system. 
    2. For a successful sign in, present an option for the user to connect an ORCID account. 
    3. If the user chooses this option, initiate an authentication flow via OAuth to receive an authenticated ORCID iD, as well as request other permissions such as reading from or writing to the user's ORCID Record (if desired).
    4. Once the user returns to your site, store the authenticated ORCID iD with the user’s account, as well as an access token to read from or write to the user’s ORCID Record where relevant.

 

  1. The user first signs into the ORCID registry
    1. When the user clicks the “Sign in with ORCID” button, your system initiates an authentication flow via OAuth to receive an authenticated ORCID iD.
    2. Once user returns to your site, check whether the returned iD already exists in your system.
      1. If yes, continue to step 3, “Recognizing an ORCID sign-in”.
      2. If no, request that the user sign into your system to associate the two accounts, as well as request other permissions such as reading from or writing to the user's ORCID Record (if desired).
    3. After a successful sign in, store the ORCID iD with the user’s account, as well as an access token to read from or write to the user’s ORCID record where relevant.

 


3. Recognizing an ORCID sign-in

Once accounts are linked, your system will need to recognize whether a user with a linked account has signed in using ORCID Registry credentials.

To recognize whether an ORCID sign in is a valid authentication:

  1. Obtain the ORCID iD using an authentication flow via OAuth. If the iD matches one in your system, consider the associated account to be signed in.
  2. Check whether the user is signed into ORCID, where appropriate. Reinitiate a sign-in request if required by your system’s security protocol.