Production release: New signin/register UI and OIDC ID token lifespan reduced to 24 hrs

[Liz Krznarich]

Greetings all, 

Today we completed a release to the production ORCID Registry that contains a few important changes:

Signin/Register/Authorize UI changes

As announced in https://groups.google.com/g/orcid-api-users/c/BcdnwyKJmRY, we've been hard at work migrating the ORCID Registry user interface to Angular (code in https://github.com/ORCID/orcid-angular). In addition to migrating the frontend code, we are incorporating design and accessibility improvements in the process. We are completing this migration in phases over the next few months, and today we released the migrated signin, registration and authorization components. Many thanks to those who reviewed these changes in the Sandbox and provided feedback! For details on the UI changes, see https://orcid.org/blog/2020/10/05/has-something-changed-ui . 

OpenID Connect ID token lifespan reduced to 24 hours

As announced in https://groups.google.com/g/orcid-api-users/c/eZC54-ZP7Vc/m/eVpB7xotBAAJ, we've reduced the lifespan of OpenID Connect (OIDC) ID tokens to 24 hours. This change is due to security concerns around the long term validity of OpenID Connect ID tokens issued by ORCID and is particularly relevant to those using ORCID OIDC ID tokens in social signin integrations. This change does not affect access tokens; access token lifespan remains 20 years. For more information about ORCID's OIDC support, see https://github.com/ORCID/ORCID-Source/blob/master/orcid-web/ORCID_AUTH_WITH_OPENID_CONNECT.md

As always, if you notice any issues related to these changes, please let us know!

---
Liz Krznarich 
Tech Lead, New Projects, ORCID
https://orcid.org/0000-0001-6622-4910

[Liz Krznarich]

Hi folks,

Since yesterday's release, we found that a few integrations using %2B (URL-encoded + character) as a separator between scopes in OAuth authorization URLs are not working as expected. This is because the application expects either a URL-encoded space (%20) or a non-encoded + character, however, we previously also supported %2B. 

We are currently deploying a patch (https://github.com/ORCID/ORCID-Source/pull/6029/files) to add back support for %2B , which should be live within the next hour. 

Ex: https://sandbox.orcid.org/oauth/authorize?client_id=APP-XA6KUTFCVQL0622C&response_type=code&scope=/read-limited%2B/activities/update%20/person/update&redirect_uri=https://developers.google.com/oauthplayground

Affected integrations we've noticed so far include Crossref auto-update (but not Crossref Search & Link wizard) and MDPI journals.

While %2B will work again as a separator shortly, to ensure that your ORCID authorization links work as expected, we encourage you to separate scopes with %20 as described in https://members.orcid.org/api/oauth/orcid-scopes . 

Ex: https://sandbox.orcid.org/oauth/authorize?client_id=APP-XA6KUTFCVQL0622C&response_type=code&scope=/read-limited%20/activities/update%20/person/update&redirect_uri=https://developers.google.com/oauthplayground

Cheers,

Liz