Enabling Login with ORCiD

The SSSOM Curator web application can integrate ORCiD as an authentication system via flask_dance. When running the CLI, you can pass --live-login to enable this.

First, register a public API client with ORCiD following the steps in the first-party guide to fill out the form on https://orcid.org/developer-tools.

Storing Configuration

This will give you two important strings: a client identifier and a client secret. If you’re testing locally, put these in a file ~/.config/sssom_curator.ini with the following contents such that it can be automatically read with pystow.

[sssom_curator]
orcid_client_id = APP-XXXXXXXXXXXXXXXX
orcid_client_secret = XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Alternatively, you can set the environment variables SSSOM_CURATOR_ORCID_CLIENT_ID and SSSOM_CURATOR_ORCID_CLIENT_SECRET.

Registering Redirects

The ORCiD authentication implementation from flask_dance mounts to the absolute path /login/orcid/authorized in your app. For example, if you would like to test login with ORCiD locally, then you can register a redirect in ORCiD’s panel to https://127.0.0.1:8775/login/orcid/authorized.

Note that ORCID doesn’t allow using “localhost” as the host, so you have to use either 127.0.0.1 or 0.0.0.0 to make this work locally. In general, you can use any resolvable host and port combination.

Proxies

If you’re running behind a proxy, then use --proxy-fix to enable

app = ProxyFix(
    app,
    x_for=1,  # get the real IP address of who makes the request
    x_proto=1,  # gets whether its http or https from the X-Forwarded header
    # the other ones are left as default
)

Serving over HTTPS

HTTPS is required for ORCiD redirects. If you want to get this working locally, you’ll need an SSL key and certificate file. For local testing, you can run the following to generate them:

$ brew install mkcert
$ brew install nss
$ mkcert localhost 127.0.0.1 ::1
$ mkcert -install

Then, these can be passed with the --ssl-keyfile and --ssl-certfile arguments.

Putting it All Together

$ uv run main.py web --ssl-keyfile localhost+2-key.pem --ssl-certfile localhost+2.pem --live-login