3-legged OAuth with Institutional Provider

Skip to first unread message

Donald Brower

Jul 19, 2021, 1:48:29 PM7/19/21
to orcid-a...@googlegroups.com

I'm having an issue with OAuth redirects.

I am using the public API with my web app to do a 3-legged OAuth for authentication. Everything works fine if the person signs in to the ORCId site using a password. The session is redirected back to my site and all is good.

However, if the person chooses "Access through your institution", then there is a page to select the instituion, followed by the institution's sign-in page. After doing all this one is then redirected back to the orcid home page. Additionally, it does not appear that I am signed in on the ORCID site. Is this behavior expected? I expected a redirect at the end back to my application.


Don Brower, Ph.D.
Digital Projects Lead
Hesburgh Libraries

University of Notre Dame
250B Hesburgh Library

Pedro Costa

Jul 20, 2021, 6:42:39 AM7/20/21
to ORCID API Users
Hi Don,

I was unable to replicate the behavior you've described. This is the expected behavior for the 3-step OAuth process with an institutional account:

1 - user visits authorization URL
2 - user signs in with institutional account (and links it to an ORCID iD if it isn't yet)
3 - user is redirected to authorization page
4 - user grants permission to client app
5 - user is then sent to the client app's redirect URI appended with an authorization code

Could you please reply with the authorization URL you're using to test and confirm whether or not the steps described above match your testing?

Kind regards,

Will J

Jul 20, 2021, 12:50:08 PM7/20/21
to ORCID API Users

I haven't made it to OAuth integration yet but there are a few videos here that may help.  

Donald Brower

Jul 29, 2021, 5:01:18 PM7/29/21
to ORCID API Users
Hi Pedro,

Thanks for your reply. I missed it before I went on vacation.

When I used the oauth sign-in again today with the "institutional access" method, everything worked as expected. So my problem appears to be solved.

For reference, the sequence of URLs that I see today are:
1) my app redirects the user to https://orcid.org/oauth/authorize
2) selecting the institutional sign in directs me to https://orcid.org/Shibboleth.sso/Login which then redirects me to my institution's single sign-on page.
3) after the SSO page I am redirected to https://orcid.org/Shibboleth.sso/SAML2/POST
6) and finally back to my app, as expected.

I didn't record a trace of the failed redirects from last week, but it seemed like somewhere around step 4 or 5 there was redirect to https://orcid.org/ and that ended the sequence. The redirects didn't make it back to my application.

Thanks again for your help,

Pedro Costa

Jul 30, 2021, 4:17:14 AM7/30/21
to ORCID API Users
Hi Don,

Thanks. If you come across any issues again please do let us know.
Reply all
Reply to author
0 new messages