IQSS · kcondon · Jul 20, 2020 · Jun 23, 2020 · Jun 29, 2020 · Jun 29, 2020
diff --git a/...tion/files/root/auth-providers/orcid.json → ...les/root/auth-providers/orcid-member.json b/...tion/files/root/auth-providers/orcid.json → ...les/root/auth-providers/orcid-member.json
diff --git a/doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid-public.json b/doc/sphinx-guides/source/_static/installation/files/root/auth-providers/orcid-public.json
@@ -0,0 +1,8 @@
+{
+    "id":"orcid-public",
+    "factoryAlias":"oauth2",
+    "title":"ORCID",
+    "subtitle":"",
+    "factoryData":"type: orcid | userEndpoint: https://pub.orcid.org/v2.1/{ORCID}/person | clientId: FIXME | clientSecret: FIXME",
+    "enabled":true
+}
diff --git a/doc/sphinx-guides/source/installation/oauth2.rst b/doc/sphinx-guides/source/installation/oauth2.rst
@@ -26,11 +26,11 @@ Identity Provider Side
 Obtain Client ID and Client Secret 
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Before OAuth providers will release information about their users (first name, last name, etc.) to your Dataverse installation, you must request a "Client ID" and "Client Secret" from them. In the case of GitHub and Google, this is as simple as clicking a few buttons and there is no cost associated with using their authentication service. ORCID and Microsoft, on the other hand, do not have an automated system for requesting these credentials, and it is not free to use these authentication services.
+Before OAuth providers will release information about their users (first name, last name, etc.) to your Dataverse installation, you must request a "Client ID" and "Client Secret" from them. In many cases you can use providers' automated system to request these credentials, but if not, contact the provider for assistance.
 
 URLs to help you request a Client ID and Client Secret from the providers supported by Dataverse are provided below.  For all of these providers, it's a good idea to request the Client ID and Client secret using a generic account, perhaps the one that's associated with the ``:SystemEmail`` you've configured for Dataverse, rather than your own personal Microsoft Azure AD, ORCID, GitHub, or Google account:
 
-- ORCID: https://orcid.org/content/register-client-application-production-trusted-party
+- ORCID: https://orcid.org/content/register-client-application-0
- ORCID: https://orcid.org/content/register-client-application-0
+- ORCID: https://orcid.org/content/register-client-application
- ORCID: https://orcid.org/content/register-client-application-0
+- ORCID: https://orcid.org/content/register-client-application
 - Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
 - GitHub: https://github.com/settings/applications/new via https://developer.github.com/v3/oauth/
 - Google: https://console.developers.google.com/projectselector/apis/credentials via https://developers.google.com/identity/protocols/OAuth2WebServer (pick "OAuth client ID")
@@ -51,7 +51,8 @@ As explained under "Auth Modes" in the :doc:`config` section, available authenti
 
 We will ``POST`` a JSON file containing the Client ID and Client Secret to this ``authenticationProviders`` API endpoint to add another authentication provider. As a starting point, you'll want to download the JSON template file matching the provider you're setting up:
 
-- :download:`orcid.json <../_static/installation/files/root/auth-providers/orcid.json>`
+- :download:`orcid-public.json <../_static/installation/files/root/auth-providers/orcid-public.json>`
+- :download:`orcid-member.json <../_static/installation/files/root/auth-providers/orcid-member.json>`
 - :download:`github.json <../_static/installation/files/root/auth-providers/github.json>`
 - :download:`google.json <../_static/installation/files/root/auth-providers/google.json>`
 - :download:`microsoft.json <../_static/installation/files/root/auth-providers/microsoft.json>`

diff --git a/...main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java b/...main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2AP.java
@@ -55,7 +55,13 @@ public class OrcidOAuth2AP extends AbstractOAuth2AuthenticationProvider {
     public static final String PROVIDER_ID_SANDBOX = "orcid-sandbox";
 
     public OrcidOAuth2AP(String clientId, String clientSecret, String userEndpoint) {
-        scope = Arrays.asList("/read-limited");
+
+        if(userEndpoint != null && userEndpoint.startsWith("https://pub")) {
+            this.scope = Arrays.asList("/authenticate");
+        } else {
+            this.scope = Arrays.asList("/read-limited");
+        }
+
         this.clientId = clientId;
         this.clientSecret = clientSecret;
         this.baseUserEndpoint = userEndpoint;

diff --git a/.../java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java b/.../java/edu/harvard/iq/dataverse/authorization/providers/oauth2/impl/OrcidOAuth2APTest.java
@@ -4,9 +4,13 @@
 import edu.harvard.iq.dataverse.authorization.providers.oauth2.AbstractOAuth2AuthenticationProvider;
 import edu.harvard.iq.dataverse.authorization.providers.oauth2.OAuth2Exception;
 import java.util.Arrays;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import org.junit.Test;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import static org.junit.jupiter.api.Assertions.*;
 
 /**
  *
@@ -41,6 +45,15 @@ private static String loadResponseXML(String fname) {
 	    }
 	    return txt;
     }
+
+    @ParameterizedTest
+    @CsvSource({"https://pub.orcid.org/v2.1/{ORCID}/person,/authenticate", "https://api.orcid.org/v2.0/{ORCID}/person,/read-limited"})
+    public void testPublicApiScope(String endpoint, String scope) {
+        // when
+        OrcidOAuth2AP provider = new OrcidOAuth2AP("clientId", "clientSecret", endpoint);
+        // then
+        assertEquals(scope, provider.getSpacedScope());
+    }
 
     @Test
     public void testParseUserResponse() {
@@ -82,14 +95,14 @@ public void testExtractOrcid() throws OAuth2Exception {
         assertEquals("0000-0001-2345-6789", sut.extractOrcidNumber(response));
     }
 
-    @Test( expected=OAuth2Exception.class )
+    @Test
     public void testExtractOrcidBad() throws OAuth2Exception {
         // sample response from https://members.orcid.org/api/tutorial/read-orcid-records
         String response = "{\"access_token\":\"f5af9f51-07e6-4332-8f1a-c0c11c1e3728\",\"token_type\":\"bearer\",\n" +
                             "\"refresh_token\":\"f725f747-3a65-49f6-a231-3e8944ce464d\",\"expires_in\":631138518,\n" +
                             "\"scope\":\"/read-limited\",\"name\":\"Sofia Garcia\"}";
         OrcidOAuth2AP sut = new OrcidOAuth2AP("clientId", "clientSecret", "userEndpoint");
-        sut.extractOrcidNumber(response);
+        assertThrows(OAuth2Exception.class, () -> sut.extractOrcidNumber(response));
     }
 
     @Test