On Oct 6, 2020, at 2:43 AM, Companjen, B.A. <[email protected]> wrote:
> I use ORCID authentication via OpenID Connect in a WordPress site. The main > gotcha is that ORCID doesn't provide the user's email address in an > OIDC-standard way, whereas WordPress says it requires an email address for > each user. Even if a user has a public email address, you can only get it > through the ORCID profile API (or you'd have to persuade the user to complete > their profile manually). I haven't gone through this trouble and haven't had > real issues, but other applications may be more strict. > Another gotcha is that as a normal ORCID user, you can only have one > registered application (API key and secret). This application can have > multiple redirect URIs, so it might not affect you directly. > > -- > Ben Ben (et al.), thank you for sharing your experience, and based on my investigations it looks as if garnering a person's email address via ORCID can be problematic. I think the solution is to make some sort of explicit request of the address, and this is done by programmatically asking the person being authenticated for trust. --Eric Morgan
