The support.orcid.org website is on a UserVoice platform that has a different privacy policy from our other sites. You may view the details at http://support.orcid.org/tos
X

I suggest that...

Implement API for token revocation

At present, tokens can be issued using ORCID's OAuth API but they can't be revoked except by a user manually going to their Account settings on the main orcid.org website (https://orcid.org/account).

OAuth providers such as Google provide the ability for a token holder to revoke the token via an API. For example, see https://developers.google.com/identity/protocols/OAuth2WebServer#tokenrevoke

One current suggested flow of an application simply deleting the token from its database is unsafe, as the token is still valid (for up to 20 years) and is at risk of being found/brute-forced and abused. The other suggested flow of instructing the user of how to log in to ORCID to revoke permissions works, but requires manual intervention from the user meaning there's a risk of the user accidentally removing other tokens. Finally, if revocation was needed en masse (such as an organisational database being compromised) there is currently no way forward with this short of emailing ORCID.

A simple, Google-style API (eg a URL like https://orcid.org/oauth/revoke?token={token}) would suffice for this purpose and be extremely useful.

8 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    David BeiteyDavid Beitey shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  ORCID (APAC)AdminORCID (APAC) (ORCID Community Team, ORCID) responded  · 

    Thanks for your suggestion to improve the ORCID Registry. This is a great idea, and it’s something that is possible to do using refresh tokens by revoking the original token. This will render the original token invalid and remove the active permissions in the user’s Trusted Organizations list.

    You can find our page on refresh tokens and example calls at our member support centre:
    https://members.orcid.org/api/oauth/refresh-tokens

    For the time being, we’re also going to mark this as under review, as having a specific call for token revocation may be something that we would like to implement in the near future also.

    Warm regards,
    ORCID Community Team

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base