ORCiD-Plugin: Authorizing OJS as trusted organization during submission workflow fails

ojs_univie · May 26, 2021, 1:26pm

Application Version - OJS 3.2.1-3 and ORCiD Plugin 1.1.2.18
Using ORCiD sandbox: ORCiD Authorization request during submission workflow fails
Create new ORCiD account, create new OJS user, submit new publication for that user, log in as journal editor, accept submission, receive notification mail as orcid-user, click link from mail, click “Authorize access” in ORCiD sandbox, error shown is “Your ORCID iD could not be verified. The link is no longer valid”, error in logfile is “No author found with supplied token”
We noticed that the publicationId is missing in the URL after clicking “Authorize access”. If it is appended to the URL, everything works as expected.

URL for Authorization:
https://sandbox.orcid.org/oauth/authorize?client_id=APP-SOMETHING&response_type=code&scope=%2Factivities%2Fupdate&redirect_uri=https:%2F%2Fojs.example.com%2Findex.php%2Ftestjournal%2Forcidapi%2ForcidVerify%3Ftoken%replacedforcopypaste&publicationId=1234
Note this contains the publicationId.

URL after clicking “Authorize access”:
https://ojs.example.com/index.php/testjournal/orcidapi/orcidVerify?token=replacedforcopypaste&code=AbCdE
Note that the publicationId is missing.

This URL works, changing the above by adding publicationId:
https://ojs.example.com/index.php/testjournal/orcidapi/orcidVerify?token=replacedforcopypaste&code=AbCdE&publicationId=1234

We only saw that the publicationId might cause this issue, as it is needed in the plugin’s code:

github.com

pkp/orcidProfile/blob/d8a68d4ddbaaa234f36b3133ce65d94a7db2344a/pages/OrcidHandler.inc.php#L168

    
      
          	 */
          	function orcidVerify($args, $request) {
          		$templateMgr = TemplateManager::getManager($request);
          		$context = $request->getContext();
          		$contextId = ($context == null) ? \PKP\core\PKPApplication::CONTEXT_ID_NONE : $context->getId();
          
          
		$plugin = PluginRegistry::getPlugin('generic', 'orcidprofileplugin');
          		$templatePath = $plugin->getTemplateResource(self::TEMPLATE);
          
          

          
		$publicationId = $request->getUserVar('publicationId');
          		$authorDao = DAORegistry::getDAO('AuthorDAO');
          		$authors = $authorDao->getByPublicationId($publicationId);
          
          
		$publication = Services::get('publication')->get($publicationId);
          
          
		$authorToVerify = null;
          		// Find the author entry, for which the ORCID verification was requested
          		if ($request->getUserVar('token')) {
          			foreach ($authors as $author) {
          				if ($author->getData('orcidEmailToken') == $request->getUserVar('token')) {

Note: Authorizing a user profile outside the submission workflow (e.g. via profile) works without any issues.

Edit: @Dulip_Withanage could you please comment on this?

Dulip_Withanage · June 6, 2021, 1:04pm

Hi @ojs_univie ,

i have played your use-case with the OJS Plugin version 1.1.2.18
The puplication-id is correctly set, which is a global variable.

Only difference is that I use OJS 3.2.1-4

Is it possible to check, that you update the OJS and report, before I dig more deeper into this issue ?

Actually, if you have the correct version, then the reference should be in line 183

github.com

pkp/orcidProfile/blob/stable-3_2_1/pages/OrcidHandler.inc.php#L183

    
      
          	 */
          	function orcidVerify($args, $request) {
          		$templateMgr = TemplateManager::getManager($request);
          		$context = $request->getContext();
          		$contextId = ($context == null) ? CONTEXT_ID_NONE : $context->getId();
          
          
		$plugin = PluginRegistry::getPlugin('generic', 'orcidprofileplugin');
          		$templatePath = $plugin->getTemplateResource(self::TEMPLATE);
          
          

          
		$publicationId = $request->getUserVar('publicationId');
          		$authorDao = DAORegistry::getDAO('AuthorDAO');
          		$authors = $authorDao->getByPublicationId($publicationId);
          
          
		$publication = Services::get('publication')->get($publicationId);
          
          
		$authorToVerify = null;
          		// Find the author entry, for which the ORCID verification was requested
          		if ($request->getUserVar('token')) {
          			foreach ($authors as $author) {
          				if ($author->getData('orcidEmailToken') == $request->getUserVar('token')) {

ojs_univie · June 7, 2021, 8:19am

Sorry about the wrong line-reference. I might have done some search before adding it. I will check back with my colleagues, but I think it is unlikely that we will upgrade to 3.2.1-4 soon.

I have a question regarding “which is a global variable”: Since we suspect that the URL-Parameter is missing from the link generated by ORCiD Sandbox, this does not seem to be related to global variables, which would be a step further in the workflow. If the parameter is not given in the URL, how could there be a global variable?
(Gabriele)

Richard-Higgins · June 14, 2021, 8:56pm

We are receiving the same notification while testing a site-wide implementing of orcidProfile using ORCID sandbox: “Your ORCID iD could not be verified. The link is no longer valid.” BUT despite the notification the OJS instance is being verified by ORCID as a trusted org.

Versions
OJS 3.2.1-4
orcidProfile 1.1.2.18

Richard Higgins
Indiana University Libraries
https://scholarworks.iu.edu/journals

Dulip_Withanage · June 14, 2021, 9:20pm

@Richard-Higgins

Thanks for the tip with site-wide setting. our tests generally run on a journal. I will check that scenario.

@ojs_univie may be you had the same scenario.

Richard-Higgins · June 14, 2021, 9:38pm

Thank you, @Dulip_Withanage

Please note that I didn’t test individual journal. I’ll try that tomorrow. My main concern is identifying why it validated on ORCID side but produced failure notification in OJS.

Dulip_Withanage · June 14, 2021, 9:41pm

Do you have a rewrite rule in your ojs server. I am using a a apache server without rewrite rules and actually it worked now.

the publicationid was given correctly too, what @ojs_univie mentions.

How was the configuration ? like this ?

[orcid]
api_url = https://api.sandbox.orcid.org/
client_id = APP-xyz
client_secret = xyz

ojs_univie · June 15, 2021, 10:42am

Yes, our config is sitewide in config.inc.php, not on journal-level.

I’m a bit unsure what you mean by this:

So it is different from what we mentioned? Because in our scenario the publicationid is not added to the link generated by the orcid Sandbox. We circumvened the issue by manually adding the publicationid to the url in the browser’s location bar. Sorry if that was not clear from the initial comment.

(Gabriele)

Richard-Higgins · June 15, 2021, 8:51pm

I apologize @ojs_univie, you are correct that it is the final URL that has been displaying the error. The process is successful if I add the publicationID at the end of the URL after the “code=”. And I was also wrong that Orcid validation worked despite the error.

So . . . I can confirm the same error with OJS 3.2.1-4.

Here are the details using individual journal configuration:
The Orcid login redirect does contain the publicationID
https://sandbox.orcid.org/signin?client_id=APP-REDACTED&response_type=code&scope=activitiesupdate&redirect_uri=https://ojs.org/test/index.php/test/orcidapi/orcidVerify?token=REDACTED&publicationId=12345

The return redirect back to OJS without publicationID throws the error.
ojs.org/test/index.php/test/orcidapi/orcidVerify?token=REDACTED&code=AbcDF
2021-06-15 16:27:57.952 ERROR OrcidHandler::orcidverify - No author found with supplied token

Like Gabriele, if I add the publication ID to the OJS return URL the validation works
ojs.org/test/index.php/test/orcidapi/orcidVerify?token=REDACTED&code=AbcDF&publicationId=12345

2021-06-15 16:28:24.010 INFO POST https://api.sandbox.orcid.org/oauth/token
2021-06-15 16:28:24.011 INFO Request header: array (
  0 => 'Accept: application/json',
)
2021-06-15 16:28:24.011 INFO Request body: code=AbcDF&grant_type=authorization_code&
client_id=APP-REDACTED&client_secret=REDACTED INFO 
Response body: {"access_token":"111111111111111111111111111","token_type":
"bearer","refresh_token":11111111111111111111111",
"expires_in":90909090,"scope":"/activities/update","name":
"Orcid Test","orcid":"0000-0001-0000-0000"}

Richard-Higgins · June 15, 2021, 11:25pm

Member sandbox API for me.

Could you pinpoint where in the plug-in code the return URL is produced? Or the specific class and/or functions for the ORCID email authorization process? Or in the testing scripts?

Note that the use case that’s failing is when an editor initiates an email to a user they’ve added as an author to a journal or submission. The user receives an email with a link to authorize trusted org status. The final redirect back to OJS is triggering verification failed rather than success without the pub ID added to the URL. Perhaps the addition of the pub ID is part of a larger process that triggers verified?

Lastly, the log quotes in my previous post are pulled from the orcid.log in our instance. What states produce the output “ERROR OrcidHandler::orcidverify - No author found with supplied token.”

ojs_univie · June 18, 2021, 2:20pm

What do you mean by writing:

Could you maybe post the URL-parameters you get from the ORCiD sandbox when clicking “Authorize” in the ORCiD sandbox, just so we can check that we are on the same page?

My colleague tells me we are also using the sandbox member api.
(Gabriele)

Dulip_Withanage · June 20, 2021, 1:31pm

Hi @ojs_univie

https://sandbox.orcid.org/oauth/authorize?client_id=APP-XYZ&response_type=code&scope=/activities/update&redirect_uri=http://localhost/ojs/index.php/publicknowledge/orcidapi/orcidVerify?token=XYZ&publicationId=2

Dulip_Withanage · June 20, 2021, 8:08pm

Hi @ojs_univie / @Richard-Higgins ,

I have also looked what you suggested, that the publication id is not set. I have replaced the way the publicationId is retrieved in a dev-branch.

will any of you be able to test that in a local OS 3.2 installation ?

Richard-Higgins · June 20, 2021, 9:48pm

@Dulip_Withanage Thanks so much for your assistance. Yes, I am happy to test any changes.

At the moment, though, I don’t see any code changes in any of the branches. Can you post the code snippet or a link to the commit?

The URL you posted earlier today in response to @ojs_univie is not the problem. The outgoing URL to ORCID is working fine, with the publicationID formed correctly. The process fails (i.e, the pubID is stripped) when redirecting back to OJS.
e.g, http://localhost/ojs/index.php/publicknowledge/orcidapi/orcidVerify?token=XYZ < no pubID

Richard-Higgins · June 20, 2021, 10:17pm

The error in the browser when publicationID is missing. http://localhost/ojs/index.php/publicknowledge/orcidapi/orcidVerify?token=XYZ < no pubID

not-verified

ojs_univie · June 21, 2021, 7:34am

This is one step too soon. What does the link to ojs look like that you get after you click “authorize” on the page you see with the link you posted?
(Gabriele)

Dulip_Withanage · June 21, 2021, 11:07am

Here is how it should look like. The code you get from the ORCID.org

http://localhost/ojs/index.php/publicknowledge/orcidapi/orcidVerify?token=bb7b25941e8c94f387d4c21a8d052323&publicationId=2&code=XXY

ojs_univie · June 21, 2021, 11:09am

Is this what you see in your scenarios during testing? I am aware this is what it should look like. You mentioned you weren’t seeing the same issue, so I wanted to check this detail in particular.
(Gabriele)

Dulip_Withanage · June 21, 2021, 11:11am

i was following your comment that publicationid is not in the link. But after that, if the communication was successful this should come. in between is orcid communcation. Are you sure the server can access orcid api ?

ojs_univie · June 21, 2021, 12:03pm

Other ORCiD-plugin related actions work, at least that’s what my colleagues told me.

EDIT: Sorry, it is not just what I was told: The authorization works if we edit the link to add the publication_id. So it must be working.
(Gabriele)