ORCiD-Plugin: Authorizing OJS as trusted organization during submission workflow fails

  • Application Version - OJS 3.2.1-3 and ORCiD Plugin
  • Using ORCiD sandbox: ORCiD Authorization request during submission workflow fails
  • Create new ORCiD account, create new OJS user, submit new publication for that user, log in as journal editor, accept submission, receive notification mail as orcid-user, click link from mail, click “Authorize access” in ORCiD sandbox, error shown is “Your ORCID iD could not be verified. The link is no longer valid”, error in logfile is “No author found with supplied token”
  • We noticed that the publicationId is missing in the URL after clicking “Authorize access”. If it is appended to the URL, everything works as expected.

URL for Authorization:
Note this contains the publicationId.

URL after clicking “Authorize access”:
Note that the publicationId is missing.

This URL works, changing the above by adding publicationId:

We only saw that the publicationId might cause this issue, as it is needed in the plugin’s code:

Note: Authorizing a user profile outside the submission workflow (e.g. via profile) works without any issues.

Edit: @Dulip_Withanage could you please comment on this?

Hi @ojs_univie ,

i have played your use-case with the OJS Plugin version
The puplication-id is correctly set, which is a global variable.

Only difference is that I use OJS 3.2.1-4

Is it possible to check, that you update the OJS and report, before I dig more deeper into this issue ?

Actually, if you have the correct version, then the reference should be in line 183

Sorry about the wrong line-reference. I might have done some search before adding it. I will check back with my colleagues, but I think it is unlikely that we will upgrade to 3.2.1-4 soon.

I have a question regarding “which is a global variable”: Since we suspect that the URL-Parameter is missing from the link generated by ORCiD Sandbox, this does not seem to be related to global variables, which would be a step further in the workflow. If the parameter is not given in the URL, how could there be a global variable?

We are receiving the same notification while testing a site-wide implementing of orcidProfile using ORCID sandbox: “Your ORCID iD could not be verified. The link is no longer valid.” BUT despite the notification the OJS instance is being verified by ORCID as a trusted org.

OJS 3.2.1-4

Richard Higgins
Indiana University Libraries


Thanks for the tip with site-wide setting. our tests generally run on a journal. I will check that scenario.

@ojs_univie may be you had the same scenario.

Thank you, @Dulip_Withanage

Please note that I didn’t test individual journal. I’ll try that tomorrow. My main concern is identifying why it validated on ORCID side but produced failure notification in OJS.

Do you have a rewrite rule in your ojs server. I am using a a apache server without rewrite rules and actually it worked now.

the publicationid was given correctly too, what @ojs_univie mentions.

How was the configuration ? like this ?

api_url = https://api.sandbox.orcid.org/
client_id = APP-xyz
client_secret = xyz

Yes, our config is sitewide in config.inc.php, not on journal-level.

I’m a bit unsure what you mean by this:

So it is different from what we mentioned? Because in our scenario the publicationid is not added to the link generated by the orcid Sandbox. We circumvened the issue by manually adding the publicationid to the url in the browser’s location bar. Sorry if that was not clear from the initial comment.


I apologize @ojs_univie, you are correct that it is the final URL that has been displaying the error. The process is successful if I add the publicationID at the end of the URL after the “code=”. And I was also wrong that Orcid validation worked despite the error.

So . . . I can confirm the same error with OJS 3.2.1-4.

Here are the details using individual journal configuration:
The Orcid login redirect does contain the publicationID

The return redirect back to OJS without publicationID throws the error.
2021-06-15 16:27:57.952 ERROR OrcidHandler::orcidverify - No author found with supplied token

Like Gabriele, if I add the publication ID to the OJS return URL the validation works

2021-06-15 16:28:24.010 INFO POST https://api.sandbox.orcid.org/oauth/token
2021-06-15 16:28:24.011 INFO Request header: array (
  0 => 'Accept: application/json',
2021-06-15 16:28:24.011 INFO Request body: code=AbcDF&grant_type=authorization_code&
client_id=APP-REDACTED&client_secret=REDACTED INFO 
Response body: {"access_token":"111111111111111111111111111","token_type":
"Orcid Test","orcid":"0000-0001-0000-0000"}

Member sandbox API for me.

Could you pinpoint where in the plug-in code the return URL is produced? Or the specific class and/or functions for the ORCID email authorization process? Or in the testing scripts?

Note that the use case that’s failing is when an editor initiates an email to a user they’ve added as an author to a journal or submission. The user receives an email with a link to authorize trusted org status. The final redirect back to OJS is triggering verification failed rather than success without the pub ID added to the URL. Perhaps the addition of the pub ID is part of a larger process that triggers verified?

Lastly, the log quotes in my previous post are pulled from the orcid.log in our instance. What states produce the output “ERROR OrcidHandler::orcidverify - No author found with supplied token.”

What do you mean by writing:

Could you maybe post the URL-parameters you get from the ORCiD sandbox when clicking “Authorize” in the ORCiD sandbox, just so we can check that we are on the same page?

My colleague tells me we are also using the sandbox member api.

Hi @ojs_univie


Hi @ojs_univie / @Richard-Higgins ,

I have also looked what you suggested, that the publication id is not set. I have replaced the way the publicationId is retrieved in a dev-branch.

will any of you be able to test that in a local OS 3.2 installation ?

@Dulip_Withanage Thanks so much for your assistance. Yes, I am happy to test any changes.

At the moment, though, I don’t see any code changes in any of the branches. Can you post the code snippet or a link to the commit?

The URL you posted earlier today in response to @ojs_univie is not the problem. The outgoing URL to ORCID is working fine, with the publicationID formed correctly. The process fails (i.e, the pubID is stripped) when redirecting back to OJS.
e.g, http://localhost/ojs/index.php/publicknowledge/orcidapi/orcidVerify?token=XYZ < no pubID

The error in the browser when publicationID is missing. http://localhost/ojs/index.php/publicknowledge/orcidapi/orcidVerify?token=XYZ < no pubID


This is one step too soon. What does the link to ojs look like that you get after you click “authorize” on the page you see with the link you posted?

Here is how it should look like. The code you get from the ORCID.org


Is this what you see in your scenarios during testing? I am aware this is what it should look like. You mentioned you weren’t seeing the same issue, so I wanted to check this detail in particular.

i was following your comment that publicationid is not in the link. But after that, if the communication was successful this should come. in between is orcid communcation. Are you sure the server can access orcid api ?

Other ORCiD-plugin related actions work, at least that’s what my colleagues told me.

EDIT: Sorry, it is not just what I was told: The authorization works if we edit the link to add the publication_id. So it must be working.