OJS3.1.1.4 ORCID Plugin missing redirect URI http header [solved]

Hi everyone

I have been getting the "invalid redirect URI’ with the ORCID profile plugin and after a while of trying to play with my ORCID API settings, I realised that the ORCID profile plugin is missing the scheme header in its redirect URI:

https://orcid.org/signin?oauth&client_id=APP-XXXXXXXXXXX&response_type=code&scope=/authenticate&redirect_uri=%2F%2Fjournaldomain.com%2Findex.php%2Fjournal%2Forcidapi%2ForcidAuthorize%3FtargetOp%3Dregister%26params%3D

If I add back the “https:” and try to test the signin, it seems to work again.

I suspect that this might be because I’m running OJS on apache behind nginx. But my nginx server block is configured to forward the host and protocols. I can see the full url in my apache server logs and everything else on my site works fine. I can test the authentication link and if I add back the “https:” then it seems to work OK.

Does anyone know of what might be wrong or if there are any workarounds I can use? Thanks for your help

The relevant chunk from my nginx server block configuration:

location ~ \.php? {
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://127.0.0.1:8080;
}

If it helps, here is a line from my apache server log:

127.0.0.1 - - [15/Nov/2018:07:53:06 -1100] "GET /index.php/journal/$$$call$$$/page/page/css?name=stylesheet HTTP/1.1" 200 27515 "https://journaldomain.com/index.php/journal/user/register" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"

And the equivalent request from my nginx server log:

123.456.987.654 - - [15/Nov/2018:07:53:06 -1100] "GET /index.php/journal/$$$call$$$/page/page/css?name=stylesheet HTTP/2.0" 200 27515 "https://journaldomain.com/index.php/journal/user/register" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" "-"

1 Like

Hello, @shaun, Alainna from ORCID here.

You must include the full Redirect URI in your OAuth call, and all Redirect URIs must be listed in your client. Redirect URIs require a protocol, either http or https. Therefore your call should be something along the lines of:

https://orcid.org/oauth/authorize?client_id=APP-XXXXXXXXXXX&response_type=code&scope=/authenticate&redirect_uri=https://journaldomain.com/index.php/journal/orcidapi/orcidAuthorize?targetOp=register&params=xxxxx

For more, see:

If you have any additional questions, you may wish to follow up with the ORCID API Users Group.

Hi alainna. Thanks for confirming that’s the issue. Do you know how to get the ORCID profile plugin to generate the correct OAuth call?

I figured out a solution. I added the “https:” to line 14 in /ojs/plugins/orcidProfile/templates/orcidProfile.tpl so that it reads:

var oauthWindow = window.open("{$orcidProfileOauthPath|escape}authorize?client_id={$orcidClientId|urlencode}&response_type=code&scope=/authenticate&redirect_uri=https:{url|urlencode router=“page” page=“orcidapi” op=“orcidAuthorize” targetOp=$targetOp params=$params escape=false}", “_blank”, “toolbar=no, scrollbars=yes, width=500, height=600, top=500, left=500”);

Hi @shaun,

Do you have protocol-relative URLs in your config.inc.php under e.g. base_url[abc] = xyz?

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher

I’m not using that setting - changing it didn’t have any effect on my site, but I turned on protocol-relative URLs using this workaround that modifies line 157 of /lib/pkp/classes/core/PKPRequest.inc.php in order to get OJS to work with apache and an nginx reverse proxy.

I guess the result is that some plugins are not seeing the protocol when they generate URLs and this is causing issues if the URL is needed for something external.