ORCID-Source icon indicating copy to clipboard operation
ORCID-Source copied to clipboard

Published 20 hours ago verified publisher icon ORCID

Add "email" to supported OpenID Connect scopes

Open hubgit opened this issue 5 years ago • 9 comments

When an OpenID Connect request's scope is openid email, notify the user that the application has requested their profile and email address.

If they approve, include their email address in the response.

hubgit avatar Jul 09 '19 12:07 hubgit

Hi @hubgit , we're currently evaluating how we might be able to support this use case while sticking to our core principle of individual user control, including fine-grained control over data visibility settings. We'll keep you posted on any future developments, and you can also follow our upcoming projects on our Current Development and Product Development Roadmap Trello boards.

lizkrznarich avatar Jul 09 '19 17:07 lizkrznarich

I'd like to note that all the other OpenID Connect and OAuth providers where the user's email address is private (including Google, Yahoo, Microsoft, PayPal, Facebook, Twitter, GitHub and Spotify) allow clients to ask for and receive the user's email address, if the user approves.

hubgit avatar Jul 10 '19 10:07 hubgit

It's also important to include a boolean email_verified field in the response, as it's currently possible to connect an ORCID account without the user having verified their email address.

hubgit avatar Jul 10 '19 10:07 hubgit

You're right that this is not a technologically difficult feature to add, however, there are policy aspects that require evaluation by a variety of stakeholders, including the ORCID board of directors and the ORCID Trust Working Group. As some of the organizations you listed above have demonstrated, sharing private user information is not something to be undertaken lightly.

lizkrznarich avatar Jul 10 '19 15:07 lizkrznarich

As some of the organizations you listed above have demonstrated, sharing private user information is not something to be undertaken lightly.

I think the examples listed above actually show that this approach is quite standard, and that users will expect this behaviour.

hubgit avatar Jul 10 '19 15:07 hubgit

So, after a year, how are things with the policy aspects?

fdlk avatar Jul 13 '20 12:07 fdlk

@fdlk Good news on this front - during our privacy policy review this year we updated our privacy policy to include language that addresses requesting private email addresses https://orcid.org/privacy-policy#Choices (see section 3.1.3 "... if an email address is required for sign in to a Trusted Organization’s system..."). Our 2020 roadmap chock full with a frontend migration and a UI overhaul underway now through the end of the year, but we expect to include the work to implement this in our plan for 2021.

lizkrznarich avatar Jul 15 '20 21:07 lizkrznarich

Would really love to see that as it would allow authentication of externals with ORCID on our university GitLab. Do not want to push to hard here. Are there any updates?

mpolitze avatar Mar 22 '21 17:03 mpolitze

Not sure what it's worth but we would also love to see this feature to enable login on our drupal7 site with orcid. Drupal requires a user's email, I have not found a way around that. We use the drupal oauth plugin "miniOrange Oauth Client".

CFGrote avatar Mar 09 '22 10:03 CFGrote

While this would be great in theory only a tiny percentage of our users want to share their email addresses with OAuth clients. Closing. We may revisit one day but it would require significant UX changes and privacy investigation to accomplish.

TomDemeranville avatar Nov 28 '22 16:11 TomDemeranville