The support.orcid.org website is on a UserVoice platform that has a different privacy policy from our other sites. You may view the details at http://support.orcid.org/tos
X

I suggest that...

Implement API for token revocation

At present, tokens can be issued using ORCID's OAuth API but they can't be revoked except by a user manually going to their Account settings on the main orcid.org website (https://orcid.org/account).

OAuth providers such as Google provide the ability for a token holder to revoke the token via an API. For example, see https://developers.google.com/identity/protocols/OAuth2WebServer#tokenrevoke

One current suggested flow of an application simply deleting the token from its database is unsafe, as the token is still valid (for up to 20 years) and is at risk of being found/brute-forced and abused. The other suggested flow of instructing the user of how to log in to ORCID to revoke permissions works, but requires manual intervention from the user meaning there's a risk of the user accidentally removing other tokens. Finally, if revocation was needed en masse (such as an organisational database being compromised) there is currently no way forward with this short of emailing ORCID.

A simple, Google-style API (eg a URL like https://orcid.org/oauth/revoke?token={token}) would suffice for this purpose and be extremely useful.

8 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    David Beitey shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base