Production release: New signin/register UI and OIDC ID token lifespan reduced to 24 hrs

102 views
Skip to first unread message

Liz Krznarich

unread,
Oct 5, 2020, 2:09:08 PM10/5/20
to ORCID API Users
Greetings all, 

Today we completed a release to the production ORCID Registry that contains a few important changes:

Signin/Register/Authorize UI changes
As announced in https://groups.google.com/g/orcid-api-users/c/BcdnwyKJmRY, we've been hard at work migrating the ORCID Registry user interface to Angular (code in https://github.com/ORCID/orcid-angular). In addition to migrating the frontend code, we are incorporating design and accessibility improvements in the process. We are completing this migration in phases over the next few months, and today we released the migrated signin, registration and authorization components. Many thanks to those who reviewed these changes in the Sandbox and provided feedback! For details on the UI changes, see https://orcid.org/blog/2020/10/05/has-something-changed-ui . 

OpenID Connect ID token lifespan reduced to 24 hours
As announced in https://groups.google.com/g/orcid-api-users/c/eZC54-ZP7Vc/m/eVpB7xotBAAJ, we've reduced the lifespan of OpenID Connect (OIDC) ID tokens to 24 hours. This change is due to security concerns around the long term validity of OpenID Connect ID tokens issued by ORCID and is particularly relevant to those using ORCID OIDC ID tokens in social signin integrations. This change does not affect access tokens; access token lifespan remains 20 years. For more information about ORCID's OIDC support, see https://github.com/ORCID/ORCID-Source/blob/master/orcid-web/ORCID_AUTH_WITH_OPENID_CONNECT.md

As always, if you notice any issues related to these changes, please let us know!

---
Liz Krznarich 
Tech Lead, New Projects, ORCID
https://orcid.org/0000-0001-6622-4910

Liz Krznarich

unread,
Oct 6, 2020, 1:00:54 PM10/6/20
to ORCID API Users
Hi folks,

Since yesterday's release, we found that a few integrations using %2B (URL-encoded + character) as a separator between scopes in OAuth authorization URLs are not working as expected. This is because the application expects either a URL-encoded space (%20) or a non-encoded + character, however, we previously also supported %2B. 

We are currently deploying a patch (https://github.com/ORCID/ORCID-Source/pull/6029/files) to add back support for %2B , which should be live within the next hour. 

Affected integrations we've noticed so far include Crossref auto-update (but not Crossref Search & Link wizard) and MDPI journals.

While %2B will work again as a separator shortly, to ensure that your ORCID authorization links work as expected, we encourage you to separate scopes with %20 as described in https://members.orcid.org/api/oauth/orcid-scopes


Cheers,
Liz
Reply all
Reply to author
Forward
0 new messages