"ORCID authorization link has already been used or is invalid" issue

[paulo-graca]

Describe the bug

To Reproduce Steps to reproduce the behavior:

1. With orcidProfile-v1_1_2-28 version
2. After requesting a publication author the authorization for binding ORCID
3. And after the author received the email and click the "Register or connect your ORCID iD" link
4. And after he log in in ORCID and authorize
5. The "ORCID authorization link has already been used or is invalid" message is shown.

Expected behavior A successfully binding is expected.

Additional context The issue is related with the interaction with ORCID API, after the users authorized, a request is made to ORCID to grab a token using the URL:

https://pub.orcid.org/oauth/token

but Orcid is retrieving an 307 Temporary Redirect HTTP Code to a different URL:

https://orcid.org/oauth/token

currently the orcidProfile plugin doesn't know how to deal with this redirect, so that error is shown.

A quick workaround for this is to change the ORCID_API_URL_PUBLIC setting to:

define('ORCID_API_URL_PUBLIC', 'https://orcid.org/');

---

PRs:

• https://github.com/pkp/orcidProfile/pull/284 (stable-3_3_0)
• https://github.com/pkp/orcidProfile/pull/285 (stable-3_4_0)
• https://github.com/pkp/orcidProfile/pull/286 (main)

[RCUB-ub]

We also experienced the same problem. Our OJS version is 3.2.1.4, we have a multiple journal installation, we have the same version of the plugin.

One editor of the journal reported the error on 06/09/2023, an another of another journal on 09-10 september.

The manual solution that we found to publish the articles with ORCID was to desactivate the plugin and to introduce the ORCIDs manually. It is a temporally solution and we hope the bug will be fixed.

It is strange because although the ORCID is not validated, the ORCID icon appers in the public page. And that is supposed to appear only to validated ORCIDs through the plugin.

[paulo-graca]

@RCUB-ub Isn't the proper solution, but to have still working you can change this line: https://github.com/pkp/orcidProfile/blob/main/OrcidProfilePlugin.php#L66

from:

define('ORCID_API_URL_PUBLIC', 'https://pub.orcid.org/');

to:

define('ORCID_API_URL_PUBLIC', 'https://orcid.org/');

and it will work (you may need to save plugin configs at the interface after this change - save without change anything). But I think this isn't the proper fix. Perhaps a better one include allowing the plugin to handle specific ORCID redirects.

[RCUB-ub]

Thank you very much @paulo-graca for your helpful solution. I did not understand at the first time it when I read your post because I amb not very proficient at coding.

Although it may be a temporal fix, it is better that the manual solution we were applying. We are going to keep an eye to this issue in case the community finds a permanent solution.

Thanks again!

[asmecher]

@paulo-graca / all -- sorry for the delay in following up, but we've just completed a developer sprint. We'll follow up with ORCiD to see if the change on their end can be handled a different way that's compatible with the existing OJS plugin. Thanks for tracking down the solution, Paulo!

[ajnyga]

Just noting that I have had multiple reports in our installation with the error "ORCID authorization link has already been used or is invalid"

However, I did not find this issue earlier and now that I tested the plugin myself, the links seem to work.

Alec, if you hear from ORCID it would be good to know if this was a problem in their system!

edit: and @paulo-graca thanks for the nice detective work here!

[RCUB-ub]

We still have the same problem, an editor of one of our journals told me that the same issue happended on 27/09/2023. They had published an issue and the same error mesage appeared.

This is the article of the new issue https://revistes.ub.edu/index.php/waterfront/article/view/43850

The editor deactivated the ORCID plugin, wrote manually the ORCID and then activated again the plugin.

In the article on the public website it appears that the ORCID is validated with the ORCID icon, but in the submission it shows that the ORCID iD is not authenticated.

As I said before, we have a multiple journal installation with OJS version 3.2.1.4 and orcidProfile-v1_1_2-28 version. Our computer technician told me that he implemented the solution @paulo-graca proposed, and the editor told me he saved the changes.

I hope this information helps.

[edit]: Now I have news of another of our journals, they told me they could succesfully validate the ORCID iD through the plugin, in an article published today on 29/09/2023. They send the ORCID notification to the author yesterday.

https://revistes.ub.edu/index.php/HistoriaIndustrial/article/view/39312

The only difference between the journals that I could appreciate is that in the options of the ORCID plugin, in the option "ORCID request log" the journal that could successfully validate the ORCID has selected "Errors" and the other journal has selected "All".

[ajnyga]

It could be that there was a very recent fix for this in the ORCID end. I tested this earlier this week and got the error but today without doing any changes it worked.

[bozana]

Just to let you know, that ORCID reverted the change (the redirect to the new URL) on September 27th for 3 weeks, i.e. till October 18th, so that we can adapt the plugin.

[ajnyga]

Is the suggestion above the fix we are going to use (ie. renaming the ORCID_API_URL_PUBLIC) or are we going to make the plugin to handle the redirect?

[bozana]

We will make the plugin able to handle redirects, and I am still waiting for an answer if that will be the new API URL (but I believe we will change the API URL too).

[bozana]

ORCID said both URLs will work, I suppose the old one with the redirect. Thus, yes, the solution would be both, to change the URL to the new one and to allow the redirection. New plugin version is coming soon... One can follow this issue...

[bozana]

@withanage or @asmecher, could you take a look at the PRs above? I've just asked ORCID what about other URLs we use (https://pub.sandbox.orcid.org/, https://api.orcid.org/ and https://api.sandbox.orcid.org/) -- if they are going to stay as they are. When I get the answer I will write here and add the change if needed. We will then need to make new releases on Okt 17th...

[withanage]

@bozana I will test this on weekend Thanks a lot again for taking care of this in my absence.

[asmecher]

@bozana, no objections here, thanks!

[withanage]

@bozana and @asmecher

I tested and merged all the commits from Bozana and additionally removed the pub prefix from the public sandbox.

@bozana For 3.2.1 , I also added your addtions, but there without the header - redirect tag.

Somehow I could not release the pulbins using the pkp-plugin bump cause a 403 from the repo.

[bozana]

@withanage, great! Also good that you removed the pub prefix for sandbox, that is correct, as I heard from ORCID...

[bozana]

The new ORCID plugin releases, that use the new public API URLs and enable redirection, are out. Today ORCID should turn on the redirect again. So please update the plugin to the newest version then...

[bozana]

I believe the issue can be closed... ?

[doominio]

I'm on 3.2.0.3 and I installed 1.1.2-29 as instructed. However, when I click on an Orcid button to connect an author, I get a yellow banner on top that says "Warning! sandbox.orcid.org is a test website. orcid.org is the official website. Sandbox only sends email messages to mailinator.com email addresses, see Sandbox FAQ for more information".

And below that, I get an "invalid_client / Client not found" error.

I reverted to the old version and the Orcid connection window seems to be the normal one now. So - what's the correct thing to do?

[bozana]

Ah, I now realized that the ORCID API URLs are also saved in the DB table plugin_settings, and from there e.g. used for the emails, and this we have not considered in this issue :see_no_evil:

EDIT: specifically this part of the code is problematic: https://github.com/pkp/orcidProfile/blob/stable-3_3_0/OrcidProfilePlugin.inc.php#L338

[doominio]

Thank you! At this point I have no way of testing if the old version of the plugin works correctly - apparently it does. I'm following the issue and will install the new version when available.

[bozana]

@asmecher and @withanage, I know it is possible to execute an upgrade migration script from within the plugin in 3.4. Is it possible also in 3.3, and maybe also 3.2.1? There are 2 possibilities to fix the new problem (having the old URL in the DB):

• to write a migration script that will change the wrong URL in the DB table plugin_settings
• to leave the old URL in the DB and consider it only in the function getOrcidUrl(). s. https://github.com/pkp/orcidProfile/blob/stable-3_4_0/OrcidProfilePlugin.php#L737.

It feels more correct to fix the wrong URL in the DB, but it is probably also more complicated (it would need the migration script). What do you think?

[asmecher]

@bozana, I think the same technique used for the 3.4 plugin migration would work for earlier releases.

[bozana]

OK, I will then try to write the migration script that will change that plugin setting in the DB for the plugins coming from a release < than the next one... Thanks a lot!

[bozana]

Today, in the PKP dev call, we decided not to implement upgrade migration script now, but to just consider those old API URLs in the code -- this is the simplest solution now...

[bozana]

New PRs:

• https://github.com/pkp/orcidProfile/pull/297 (stable-3_3_0)
• https://github.com/pkp/orcidProfile/pull/298 (stable-3_4_0)

[bozana]

@asmecher and @withanage, could you please take a look at the PR direct above? @withanage, could you please do it for 3_2_1? @withanage, would you maybe be able to make the releases tomorrow? Or at least for 3_2_1? -- I could do for 3.3 and 3.4.

[withanage]

@bozana

I tested for 3.3 and 3.4 and merged.

could you cross-check 3.2.1 ? https://github.com/pkp/orcidProfile/pull/299

I can create the plugin version releases (3.3, 34 and 3.2.1 )

[bozana]

Thanks a lot @withanage! The 3.2.1 for stable-3_2_1 looks good...

[gurumelo]

@bozana

I tested for 3.3 and 3.4 and merged.

could you cross-check 3.2.1 ? #299

I can create the plugin version releases (3.3, 34 and 3.2.1 )

Hi @withanage , Can you give me some clues on how to patch manually in OJS 3.2.1 big installation with several journals and module already activated with differents configurations?

do i need rewrite email templates url?

Thanks

[withanage]

@bozana

I have created a PR for the plugin gallery. Travis build is queued, therefore did not merge yet. https://github.com/pkp/plugin-gallery/pull/243

[withanage]

Hi @withanage , Can you give me some clues on how to patch manually in OJS 3.2.1 big installation with several journals and module already activated with differente configurations?

do i need rewrite email templates url?

Hi @gurumelo

I do not recommend patching this plugin. I have created a PR to get the changes into the plugin gallery. If possible please use the version 1.1.2.30

https://github.com/pkp/orcidProfile/releases/tag/v1_1_2-30

As soon as it is available in the plugin gallery.

[bozana]

New releases are out, so I will close the issue...

[doominio]

Thank you everyone for the work here! I've updated manually with version 1.1.2.30, apparently there are no problems. Although I won't know for sure until a new author links his orcid profile.