Unauthorized 401 When Callin ORCID API

[RealityMistic]

Hello, I am running an R script which uses rorcid and it is supposed to check some data with the orcid API.

I am running it on a linux server and I am getting this message Error: Unauthorized (HTTP 401)

I read the unfinished #64 thread and it seems the same problem. I checked the command curl -v -H "Authorization Bearer (...)" https://pub.orcid.org/v2.1/0000-0002-164 and it seems to work. So the token is all right, I believe. Any ideas why it might be failing?

Thanks

[sckott]

Thanks for reporting the issue.

In server scenarios, use a PAT. See https://docs.ropensci.org/rorcid/articles/authentication.html#computing-environments-without-browsers-1 and the 3rd option in Details section here https://docs.ropensci.org/rorcid/reference/orcid_auth.html#details

[RealityMistic]

Hi sckott, thanks for helping. I am not sure of what do you mean by a PAT, "Port-Address-Translator"? A network technique? How should we do that?

I managed to generate a token using the 2legged authentication function and using my client_id and my client_secret, I think the token is Ok. The ORCID_TOKEN environment variable is properly set with the token. I wondered if the problem was because of the hyphens, and I tried to add some (as it originally was without any) but same result 401.

I also checked that curl with HTTPS support is working, because I can download from the console.

Is it then a network problem? We are using port 8080 and we are behind a proxy, but we have connectivity now from R.

Any ideas?

Thanks

[sckott]

PAT = Personal Access Token Same as "token" in this context.

use one of the rorcid functions to get some data, and set verbose=TRUE, e.g.,

orcid_bio(orcid = "0000-0002-1642-628X", verbose = TRUE)

Does that fail? If so, there may be useful information to debug in the console output. Share it here, but make sure to obscure/remove your token

[RealityMistic]

orcid_bio(orcid = "0000-0002-1642-628X", verbose = TRUE)

• Uses proxy env variable https_proxy == 'http://emcgateway:Informes2013@proxy.redinterna.age:8080'
• Trying 10.20.5.72...
• TCP_NODELAY set
• Connected to proxy.redinterna.age (10.20.5.72) port 8080 (#0)
• allocate connect buffer!
• Establish HTTP proxy tunnel to pub.orcid.org:443 CONNECT pub.orcid.org:443 HTTP/1.1 Host: pub.orcid.org:443 User-Agent: R (3.6.3 x86_64-redhat-linux-gnu x86_64 linux-gnu) Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection established <

• Proxy replied 200 to CONNECT request
• CONNECT phase completed!
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
• CONNECT phase completed!
• CONNECT phase completed!
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: CN=orcid.org
• start date: May 13 00:00:00 2020 GMT
• expire date: Aug 15 00:00:00 2022 GMT
• subjectAltName: host "pub.orcid.org" matched cert's "*.orcid.org"
• issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
• SSL certificate verify ok.

  GET /v3.0/0000-0002-1642-628X/biography HTTP/1.1 Host: pub.orcid.org Accept-Encoding: gzip, deflate Accept: application/json User-Agent: r-curl/4.3 crul/1.0.0 rOpenSci(rorcid/0.6.4) X-USER-AGENT: r-curl/4.3 crul/1.0.0 rOpenSci(rorcid/0.6.4) Authorization: Bearer

< HTTP/1.1 401 Unauthorized < Date: Fri, 19 Feb 2021 16:37:44 GMT < Content-Type: application/json;charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive

• Added cookie cfduid="d49cc324745da53ba51467871db9fae751613752664" for domain orcid.org, path /, expire 1616344664 < Set-Cookie: cfduid=d49cc324745da53ba51467871db9fae751613752664; expires=Sun, 21-Mar-21 16:37:44 GMT; path=/; domain=.orcid.org; HttpOnly; SameSite=Lax < WWW-Authenticate: Bearer realm="ORCID T1 API", error="invalid_token", error_description="Invalid access token: " < Cache-Control: no-store < Pragma: no-cache < X-XSS-Protection: 1; mode=block < Access-Control-Allow-Origin: * < X-Content-Type-Options: nosniff
• Added cookie X-Mapping-fjhppofk="814C785051499CB634650A2359C0B50C" for domain pub.orcid.org, path /, expire 0 < Set-Cookie: X-Mapping-fjhppofk=814C785051499CB634650A2359C0B50C; path=/ < X-Frame-Options: DENY < CF-Cache-Status: DYNAMIC < cf-request-id: 085cc098ab00005d4b3996d000000001 < Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < Server: cloudflare < CF-RAY: 62416a077d2c5d4b-LIS <
• Connection #0 to host proxy.redinterna.age left intact Error: Unauthorized (HTTP 401)

[sckott]

So your token was in the Authorization: Bearer string, correct? And you just removed it here?

[RealityMistic]

Exactly, I removed it as you requested. This a project for the Spanish Ministry of Science and we are rather stuck here.

Thanks.

[sckott]

Let's try curl again to make sure that your token is working:

curl -v \
  -H 'Authorization: Bearer your-token-here' \
  -H 'Accept: application/json' \
  https://pub.orcid.org/v3.0/0000-0002-1642-628X/biography/

Does that work? Do you get:

{"created-date":{"value":1460757498851},"last-modified-date":{"value":1460757498851},"content":"http://carlboettiger.info","visibility":"public","path":"/0000-0002-1642-628X/biography"}

[RealityMistic]

Good morning Sckott... once again the same problem. There must be definitely something wrong with the token Thx for the support

[root@CENT81-DES-CIENCIA investigadores-ficheros_r]# curl -v -H 'Authorization: Bearer ... ' -H 'Accept: application/json' https://pub.orcid.org/v3.0/0000-0002-1642-628X/biography/

• Trying 10.20.5.72...
• TCP_NODELAY set
• Connected to proxy.redinterna.age (10.20.5.72) port 8080 (#0)
• allocate connect buffer!
• Establish HTTP proxy tunnel to pub.orcid.org:443
• Proxy auth using Basic with user 'glpi.mciu'

  CONNECT pub.orcid.org:443 HTTP/1.1 Host: pub.orcid.org:443 Proxy-Authorization: Basic Z2xwaS5tY2l1OkNhc3RlbGxhbmExNjI7 User-Agent: curl/7.61.1 Proxy-Connection: Keep-Alive

  < HTTP/1.1 200 Connection established <

• Proxy replied 200 to CONNECT request
• CONNECT phase completed!
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CONNECT phase completed!
• CONNECT phase completed!
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, [no content] (0):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: CN=orcid.org
• start date: May 13 00:00:00 2020 GMT
• expire date: Aug 15 00:00:00 2022 GMT
• subjectAltName: host "pub.orcid.org" matched cert's "*.orcid.org"
• issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• Using Stream ID: 1 (easy handle 0x55f0d8ef4e80)
• TLSv1.3 (OUT), TLS app data, [no content] (0):

  GET /v3.0/0000-0002-1642-628X/biography/ HTTP/2 Host: pub.orcid.org User-Agent: curl/7.61.1 Authorization: Bearer ... Accept: application/json

• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS app data, [no content] (0):
• Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• TLSv1.3 (IN), TLS app data, [no content] (0): < HTTP/2 401 < date: Mon, 22 Feb 2021 08:17:54 GMT < content-type: application/json;charset=UTF-8 < set-cookie: __cfduid=ddcbb300d014ca8bb078402d4c90bff831613981873; expires=Wed, 24-Mar-21 08:17:53 GMT; path=/; domain=.orcid.org; HttpOnly; SameSite=Lax < www-authenticate: Bearer realm="ORCID T1 API", error="invalid_token", error_description="Invalid access token: ..." < cache-control: no-store < pragma: no-cache < x-xss-protection: 1; mode=block < access-control-allow-origin: * < x-content-type-options: nosniff < set-cookie: X-Mapping-fjhppofk=4842165633BFDE68C17EFF06BB2B96E5; path=/ < x-frame-options: DENY < cf-cache-status: DYNAMIC < cf-request-id: 086a6a0f220000da725905f000000001 < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < server: cloudflare < cf-ray: 625745f83da1da72-LIS < { "error" : "invalid_token", "error_description" : "Invalid access token: ..."
• TLSv1.3 (IN), TLS app data, [no content] (0):
• Connection #0 to host proxy.redinterna.age left intact }[root@CENT81-DES-CIENCIA investigadores-ficheros_r]#

[RealityMistic]

By the way, I just tried the URL with the token on my Windows workstation with postman and I got the same result: invalid token.

Should I try with another ORCID account?

[RealityMistic]

This is how I generated the token:

two_legged_oauth <- function(client_id, client_secret) { headers <- list(Accept = "application/json", Content-Type = "application/x-www-form-urlencoded") body <- list(grant_type = "authorization_code", client_id = client_id, client_secret = client_secret) con <- crul::HttpClient$new("https://orcid.org/oauth/authorize", headers = headers) res <- con$post( body = body, encode = "form") if (res[["status_code"]] == 200 ) { tok <- res[["response_headers"]][["cf-request-id"]] return (paste0("Bearer ", tok)) } } ""

two_legged_oauth(client_id = "...", client_secret = "...")

[sckott]

1. it's possible there's an issue with the proxy. I don't know anything about proxies as I never use them, so not sure what to do if that's the problem.
2. If it is an invalid token: did you request the token on that server? Can you get a token on your local machine, then simply set it as the token on your server? Does this curl request work if you do it on your local machine without being behind a proxy?

[RealityMistic]

1. We can rule out the proxy problem, I checked with postman from my personal machine (directly connected to the Internet) against the API url you proposed and it works without token (it's public) but when the token is added it says it is invalid.
2. I tried on our server with another token generated with the ORCID credentials of a colleague of mine and the result is the same. Could it be that the token generation process is not working properly? Is there any way to circumvent the three legged authentication?

[RealityMistic]

By the way, my colleague generated his token on his local machine.

[sckott]

I just spun up a server and used my orcid token and it works. So can't re-create what's going on so far. I'm not sure what else to do. I'm asking ORCID folks

[TomDemeranville]

This is how I generated the token:

two_legged_oauth <- function(client_id, client_secret) { headers <- list(Accept = "application/json", Content-Type = "application/x-www-form-urlencoded") body <- list(grant_type = "authorization_code", client_id = client_id, client_secret = client_secret) con <- crul::HttpClient$new("https://orcid.org/oauth/authorize", headers = headers) res <- con$post( body = body, encode = "form") if (res[["status_code"]] == 200 ) { tok <- res[["response_headers"]][["cf-request-id"]] return (paste0("Bearer ", tok)) } } ""

two_legged_oauth(client_id = "...", client_secret = "...")

Hmm. Does your token in a format like 1bed1e13-7792-4129-9f07-aaf7b88ba88x?

If not, I think your two legged request is not quite right.

• you need to use grant_type=client_credentials
• It looks like you're pulling something out of the response headers, but I think the token is in the response body as JSON.

Example here: https://info.orcid.org/documentation/integration-and-api-faq/#easy-faq-2532

[RealityMistic]

I was definitely trying to use a function which does not generate a valid Orcid token. Could you write here the proper command line curl call with a field for client_id and client_secret, which I can substitute, so that I can get the token? I understand the production ORCID API Endpoint is https://orcid.org/oauth/token

So far I've been trying and getting {"error":"invalid_client","error_description":"Client not found: ..."}

Please forgive me, because I am newbie to Linux and APIs...

[TomDemeranville]

Try something like curl -i -d 'client_id=XXX' -d 'client_secret=XXX' -d 'scope=/read-public' -d 'grant_type=client_credentials' 'https://orcid.org/oauth/token'

[TomDemeranville]

There is a tutorial here: https://github.com/ORCID/ORCID-Source/blob/master/orcid-api-web/tutorial/read_public.md

[RealityMistic]

Yes, but I also got the invalid token message. However, I just copied my ID directly from the Orcid website after login. I am also copying the password.

[RealityMistic]

I wish to apologize to everyone for being so rookie and for not reading the tutorials properly. I was wrongly assuming that the client_id is the same as the ORCID ID and they are not. You use your orcid account to register an application in the developers tools menu option and then it generates the client_id and the client_secret which you use to generate a token.

Thanks for your efforts, sorry again for the inconvenience and you can close this thread.

[sckott]

Thanks @TomDemeranville !

@drachodran no worries at all. I'm happy to help. The function https://docs.ropensci.org/rorcid/reference/orcid_auth in this package returns the token you'll need. It returns a string of the form Bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. From that, copy just the token part (ignore "Bearer ") to save as your ORCID_TOKEN environment variable.