Implementing ORCID auth: Problem with cas.authn.pac4j.oauth2[0].profile-url

[Aleix Mariné]

So I am trying to implement ORCID authentication using three-legged OAUTH which uses the OAUTH2 stack. 

In the ORCID documentation they explain three calls that can be made and also there is a tutorial on how to get an ORCID ID authenticated.

expand_moreAuthorize request

Provides an authorization code that can be exchanged for an access token and an authenticated ORCID iD.

Endpoint

https://sandbox.orcid.org/oauth/authorize

Scope

/authenticate

Response type

code

https://sandbox.orcid.org/oauth/authorize?client_id=APP-UL39T4BGTQ3TNB4L&response_type=code&scope=/authenticate&redirect_uri=REPLACE WITH REDIRECT URI

expand_moreToken request

Provides an authenticated ORCID iD and an access token that can be used to read public information on the record.

Endpoint

https://sandbox.orcid.org/oauth/token

Response type

access token and ORCID iD

curl -i -L -k -H 'Accept: application/json' --data 'client_id=APP-UL39T4BGTQ3TNB4L&client_secret=187854af-f113-43da-8de5-eeed661aacce&grant_type=authorization_code&redirect_uri=REPLACE WITH REDIRECT URI&code=REPLACE WITH OAUTH CODE' https://sandbox.orcid.org/oauth/token

expand_moreOpenID/Implicit request

Provides an access token that can be used to read public information on the record and an id_token using OpenID Connect and client-side only implicit OAuth. More information on OpenID Connect Endpoint

Endpoint

https://sandbox.orcid.org/oauth/token

Scope

openid

Response type

token

https://sandbox.orcid.org/oauth/authorize?client_id=APP-UL39T4BGTQ3TNB4L&response_type=token&scope=openid&redirect_uri=REPLACE WITH REDIRECT URI

In my CAS I put this properties:

cas.authn.pac4j.oauth2[0].clientName=ORCID
cas.authn.pac4j.oauth2[0].profileVerb=GET
cas.authn.pac4j.oauth2[0].secret=secretID
cas.authn.pac4j.oauth2[0].id=APP-UL39T4BGTQ3TNB4L
cas.authn.pac4j.oauth2[0].auth-url=https://sandbox.orcid.org/oauth/authorize
cas.authn.pac4j.oauth2[0].scope=/authenticate
cas.authn.pac4j.oauth2[0].token-url=https://sandbox.orcid.org/oauth/token
cas.authn.pac4j.oauth2[0].profile-url=https://api.sandbox.orcid.org/v3.0/{user}/record

cas.authn.pac4j.oauth2[0].customParams.response_type=code
cas.authn.pac4j.oauth2[0].customParams.client_id=code
cas.authn.pac4j.oauth2[0].profileAttrs.phone=phone
cas.authn.pac4j.oauth2[0].profileAttrs.id=APP-UL39T4BGTQ3TNB4L
cas.authn.pac4j.oauth2[0].profileAttrs.homeAddress=address

The problem comes from the property token-url. In order to retrieve the data of the user, I need to do an API request to the direction https://api.sandbox.orcid.org/v3.0/{user}/record , the problem is that I do not know how to configure CAS to substitute {user} with the User ID that is trying to log in. 

For example, let's say that the user 0009-0005-6065-7965 tries to log in. Then to retrieve their data I would do a request to https://api.sandbox.orcid.org/v3.0/0009-0005-6065-7965/record . 

I am also not really sure if I really need to use the user record endpoint, since the token request also returns information of the user, but I also do not know how to capture and manipulate that information. 

In practise, my CAS works alogside my application, offering the ORCID ID as one of the login methods. The redirection to the ORCID service, the login and the redirection back to CAS works good, the problem comes from capturing data when the ORCID login goes back to CAS.

So I would like to know:

- Do I really need to set and use the profile-url? If it is true, how can I make understand CAS that needs to substitute {user} with the ORCID ID of the user that is trying to log in?

- Do I really need to capture certain values from the request to perform the authentication? How can I retrieve custom values from the request answer?

Thank you so much for your help!

[Meysam Shirazi]

I think you need to develop a wrapper API for profile-url like this(a normal api):https://www.googleapis.com/oauth2/v3/userinfo, so you can get the uid and send it in custom format to https://api.sandbox.orcid.org/v3.0/{uid}/record.

[Aleix Mariné]

Dear Meysam,

Thank you for your response. 

I imagined the possibility of adding a bean that acts as a wrapper for that particular endpoint, but I do not know what bean I need to implement... Do you have any hint or tip of how this should be implemented? Or where I can find a documentation that talks about this process? Do you know any similar examples that I can take a look from?

Thank you so much!

Aleix

[Aleix Mariné]

So, I have found this documentation that explain the inner classes used by CAS to manage the OAUTH stack.

Should I reimplement this class?

h) OAuth20ProfileController (org.jasig.cas.support.oauth.web)
This controller returns a profile for the authenticated user (identifier + attributes), found with the access token (CAS granting ticket).

Do you know which methods do I need to rewrite?

[Aleix Mariné]

So, I have found this documentation.  

Should I implement a class that implements this interface?

h) OAuth20ProfileController (org.jasig.cas.support.oauth.web)

This controller returns a profile for the authenticated user (identifier + attributes), found with the access token (CAS granting ticket).

What methods do I need to overwrite to create my wrapper? Is there any documentation of this class? At least I would like to have original source code to take a look into it. 

Thank you for the help, as you can see I am a little lost on how to do it. 

Aleix

El miércoles, 8 de noviembre de 2023 a las 15:50:22 UTC+1, Aleix Mariné escribió:

[Ray Bon]

Aleix,

That documentation is _very_ old. There have been a lot of changes to cas since 2014; not the least of which is the change from org.jasig to org.apereo.

Reading that document may provide some general understanding.

You can increase the logging level [debug|trace] to see what classes are doing. Then look at cas source to see what / where to make changes.

<AsyncLogger name="org.apereo.cas.oidc" level="warn">

<AsyncLogger name="org.apereo.cas.oidc.web.flow" level="warn" />

Ray

On Wed, 2023-11-08 at 07:44 -0800, Aleix Mariné wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

The problem comes from the property token-url. In order to retrieve the data of the user, I need to do an API request to the directionhttps://api.sandbox.orcid.org/v3.0/{user}/record , the problem is that I do not know how to configure CAS to substitute {user} with the User ID that is trying to log in. 

For example, let's say that the user 0009-0005-6065-7965 tries to log in. Then to retrieve their data I would do a request tohttps://api.sandbox.orcid.org/v3.0/0009-0005-6065-7965/record . 

[Ray Bon]

And this property

<Property name="pac4j.log.level">warn</Property>

Ray

On Wed, 2023-11-08 at 07:44 -0800, Aleix Mariné wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

The problem comes from the property token-url. In order to retrieve the data of the user, I need to do an API request to the directionhttps://api.sandbox.orcid.org/v3.0/{user}/record , the problem is that I do not know how to configure CAS to substitute {user} with the User ID that is trying to log in. 

For example, let's say that the user 0009-0005-6065-7965 tries to log in. Then to retrieve their data I would do a request tohttps://api.sandbox.orcid.org/v3.0/0009-0005-6065-7965/record . 

[Meysam Shirazi]

I don't recommend implementing  OAuth20ProfileController(your link is too old any way), I just suggest develop a wrapper for delegate oauth profile api(https://api.sandbox.orcid.org/v3.0/{user}/record).