ORCID as Social Identity Provider

[NicolasLiampotis]

Use ORCID public/member API for OAuth2 2-legged flow and access to ORCID record, including:

• identifier (ORCID iD)
• name
• email
• publications
• CV

See also implementation for SimpleSAMLphp

[hannahshort]

Btw, ORCID currently doesn't release email in OAuth2. I spoke with the supporters and they do plan to release it in the future but need to better understand the privacy model.

[NicolasLiampotis]

Btw, ORCID currently doesn't release email in OAuth2. I spoke with the supporters and they do plan to release it in the future but need to better understand the privacy model.

Great! Good to know that they're already considering adding support for email.

In the mean time, we'll investigate developing a custom (Oauth2 based) Identity Provider that can interact with ORCID's record API: https://orcid.github.io/orcid-api-tutorial/read/

From our experience with the PHP based implementation we developed for SimpleSAMLphp, the ORCID record API can release the email information with some caveats:

1. The Public ORCID API (free) releases email addresses only when marked as publically visible
2. The Member ORCID API (requires ORCID membership fees) releases email addresses only when marked as visible to trusted third parties

So in both cases the user is required to modify the visibility settings for the email addresses in their profile.

The proper OIDC(OAuth2) way would be to allow the user to authorise the standard email scope to decide whether they want to release their email address for the given client.

[NicolasLiampotis]

ORCID id icon library: https://orcid.figshare.com/articles/figure/ORCID_iD_icon_graphics/5008697
ORCID sandbox information for testing: https://info.orcid.org/documentation/integration-guide/sandbox-testing-server/#easy-faq-2573
Client registration documentation: https://info.orcid.org/documentation/integration-guide/registering-a-public-api-client/#easy-faq-2606

[cgeorgilakis]

I have done an implementation for making PR to Keycloak in order to support ORCID as social IdP.

This implementation is being extended for our needs with the following:

• verified email ( not accepted yet PR for issue#70
• an extension for parsing publication ( or other fields) , which are json lists. Now Keycloak support a single field only as json.

Finally, we open a dev discussion for overcoming problems for large User Attribute like publications. User Attribute value is 255 length. This is insufficient for large fields.

[cgeorgilakis]

Moreover for related #125 :
My implementation is giving orcid User attribute the value of uri. However, this code is executed only during user initialation.

If admin wants orcid User attribute being able to change, he should createUser Attribute Mapper with force Sync Mode Override.

[cgeorgilakis]

PR: keycloak#8618
github discussion: keycloak#8620

[cgeorgilakis]

Keycloak team reject our PR for ORCID Social Identity Provider because they do not want to maintain/support it.

I have created a Keycloak extension for ORCID Social Identity Provider and make PR in order to be official Keycloak extension.
Now it is working with current Keycloak version (15.0.2). We will maintain compatibility with newer versions.

Extension jira issue: https://issues.redhat.com/browse/KEYCLOAK-19595.

Emailverified is not added in extension. However, it is related with the following PR. In this PR, Keycloak team want to extend User Attribute Mapper in order to being able to change User field emailVerified. However, PR is stack to their review. After accepting this PR, realm admin will be able to create appropriate User Attribute Mapper for emailVerified for ORCID IdP.

We have added ORCID logo to our vanilla theme ( current branch icons).

[cgeorgilakis]

Related jira issue for problems with mappers and emailVerified: #136

[cgeorgilakis]

ORCID as Social Identity Provider is official Keycloak extension.