Update OAuth and API URLs with correct prefixes

[ewhanson]

Update OAuth and API URLs

The URLs used in the plugin must be updated to use the correct endpoint for each action.

The correct endpoints per ORCID are as follows (see Orcid Github for documentation):

Environment	Purpose	URL
Production	Authorization requests	https://orcid.org/oauth/authorize
Production	Token exchange	https://orcid.org/oauth/token
Production	Public API calls	https://pub.orcid.org/[version]
Production	Member API calls	https://api.orcid.org/[version]
Sandbox	Authorization requests	https://sandbox.orcid.org/oauth/authorize
Sandbox	Token exchange	https://sandbox.orcid.org/oauth/token
Sandbox	Public API	https://pub.sandbox.orcid.org/[version]
Sandbox	Member API	https://api.sandbox.orcid.org/[version]

Previously, the /oauth/token endpoint was accessed via https://pub.orcid.org/oauth/token and is now accessed via https://orcid.org/oauth/token. A redirect is in place from the old URL to the new (as announced in the ORCID API Users Group, but the plugin was not previously following the redirects (see pkp/orcidProfile#281). While this solved the /oauth/token redirect issue, it introduced a new issue by completely replacing the URL for public API calls from https://pub.orcid.org/[version] to https://orcid.org/[version], the latter of which is not a valid URL and redirects to the central sign in page.

This issue was tricky to track down as much of the public API functionality is satisfied with the response of the /oauth/authorize step of the OAuth authentication process, which includes among other things, the access/refresh token and the authenticated users ORCID.

Ensuring all OAuth related actions use the corresponding https://orcid.org/[endpoint] or https://sandbox.orcid.org/[endpoint] URL while the calls to the versioned APIs use the correct pub or api prefixes as needed.

In summary, all API and authentication URLs should function as listed above.

Regardless of sandbox status:

• OAuth related URLs should have no additional prefix
• Public API calls should be prefixed with pub
• Member API calls should be prefixed with api

This change will affect stable-3_3_0, stable-3_4_0, main, and potentially stable-3_2_1 if that version of the plugin is still maintained.

TODOs

• [x] stable-3_2_1
• [x] stable-3_3_0
• [x] stable-3_4_0
• [ ] main

[ewhanson]

PRs:

• stable-3_4_0: #306
• stable-3_3_0: #307
• stable-3-2_1: #308

[ewhanson]

@bozana, could you review these changes? They update the API URLs, account for the non-pub prefixed URL being saved in the database, and update the OAuth-related calls to use the plain orcid.org or sandbox.orcid.org URLs. Thanks!

[bozana]

Hi @ewhanson, great! That all looks good to me. Thanks a lot!

[ewhanson]

Thanks, @bozana! I've merged them. I'll leave the issue open until I have a chance to get these changes reflected in main, considering the current rewrite underway.