Ask users for username and password during each authentication

[Cristian Zoicas]

Hello all,

We have implemented  ORCID authentication in our web  application and it
works.  But I  would  like to  ask  a question  about the  next sequence of steps:

1) Go to my web application home page.
2) Press the "Sign in with ORCID ID" button.
3) I am  redirected to the ORCID web site and asked about my username and password.
4) Once the correct credentials are provided the system allows me in.
5) Log out from my application.
6) Go back to my web application home page.
7) Press the "Sign in with ORCID ID" button.
8) The system logs me in without asking for ORCID username and password.

Now here  is my question: The  step 8 is  possible due to the  fact that
orcid.org saves  some cookies in  my browsers.  Is it possible  to avoid
this behavior  and force the user to introduce the user name  and password
each time when he presses "Sign in with ORCID ID" ?

Best regards
Cristian

[Wilmers, Catalina]

Hi Cristain,

We designed the behavior you see to save researchers needing to log into their ORCID record multiple times in one session, but you can add a step to force a log out which will require the user to sign into their account every time they grant access.  Instructions on forcing a log out are at http://members.orcid.org/api/customize-oauth-login-screen#logout

Best,

-Catalina

--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.

[Simone Sturniolo]

Hi Catalina,

I am trying this just now in the sandbox with 

https://sandbox.orcid.org/userStatus.json?logUserOut=true

and it seems to work. However, I can't add a callback URL argument as suggested in the documentation because I keep receiving an error message saying the callback is "invalid". Any clue as to why it happens? I tried using my redirect_URI both with and without quotes (%22) around it, I took care to transform special characters into their corresponding representations passing through the appropriate functions (tried both in JS and PHP), but nothing. Is this a limitation of the sandbox? Thanks!

Simone

[Wilmers, Catalina]

Hi Simone,

What's the full authorization url you're using including the redirect URI? An invalid redirect URI error usually comes up when what you're using doesn't match what we have stored exactly. If you send us your URL we can compare the redirect URI to what is stored for your credentials and see if there's a small difference causing this error.

Best,

-Catalina

To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-users+unsubscribe@googlegroups.com.
To post to this group, send email to orcid-api-users@googlegroups.com.

[Simone Sturniolo]

I answered this in private, was it okay or should I send the URL to someone else?

Simone