leibniz-psychology · JackBlackLight · Jun 7, 2023 · Jul 6, 2023 · Jul 26, 2023
diff --git a/forms/OpenIDPluginSettingsForm.inc.php b/forms/OpenIDPluginSettingsForm.inc.php
@@ -87,6 +87,7 @@ function initData()
 				'generateAPIKey' => $settings['generateAPIKey'] ? $settings['generateAPIKey'] : 0,
 				'providerSync' => key_exists('providerSync', $settings) ? $settings['providerSync'] : false,
 				'disableFields' => $settings['disableFields'],
+				'orcid2fa' => key_exists('orcid2fa', $settings) ? $settings['orcid2fa'] : false,
 			);
 		} else {
 			$this->_data = array(
@@ -105,7 +106,7 @@ function initData()
 	function readInputData()
 	{
 		$this->readUserVars(
-			array('provider', 'legacyLogin', 'legacyRegister', 'disableConnect', 'hashSecret', 'generateAPIKey', 'providerSync', 'disableFields')
+			array('provider', 'legacyLogin', 'legacyRegister', 'disableConnect', 'hashSecret', 'generateAPIKey', 'providerSync', 'disableFields', 'orcid2fa')
 		);
 		parent::readInputData();
 	}
@@ -157,6 +158,7 @@ function execute(...$functionArgs)
 			'generateAPIKey' => $this->getData('generateAPIKey'),
 			'providerSync' => $this->getData('providerSync'),
 			'disableFields' => $this->getData('disableFields'),
+			'orcid2fa' => $this->getData('orcid2fa'),
 		);
 		$this->plugin->updateSetting($contextId, 'openIDSettings', json_encode($settings), 'string');
 		import('classes.notification.NotificationManager');

diff --git a/handler/OpenIDHandler.inc.php b/handler/OpenIDHandler.inc.php
@@ -75,6 +75,11 @@ function doAuthentication($args, $request, $provider = null)
 
 		if (isset($token) && isset($publicKey)) {
 			$tokenPayload = $this->_validateAndExtractToken($token, $publicKey);
+                        //check if orcid two-factor authentication is required
+                        if ($settings['orcid2fa'] == true && $tokenPayload['amr'] != 'mfa') {
+				$ssoErrors['sso_error'] = '2fa';
+                		return $request->redirect($context, 'login', null, null, $ssoErrors);
+			}
 			if (isset($tokenPayload) && is_array($tokenPayload)) {
 				$tokenPayload['selectedProvider'] = $selectedProvider;
 				$user = $this->_getUserViaKeycloakId($tokenPayload);
@@ -391,7 +396,6 @@ private function _validateAndExtractToken(array $token, array $publicKeys)
 				try {
 					if (!empty($t)) {
 						$jwtPayload = JWT::decode($t, $publicKey, array('RS256'));
-
 						if (isset($jwtPayload)) {
 							$credentials = [
 								'id' => property_exists($jwtPayload, 'sub') ? $jwtPayload->sub : null,
@@ -400,6 +404,8 @@ private function _validateAndExtractToken(array $token, array $publicKeys)
 								'given_name' => property_exists($jwtPayload, 'given_name') ? $jwtPayload->given_name : null,
 								'family_name' => property_exists($jwtPayload, 'family_name') ? $jwtPayload->family_name : null,
 								'email_verified' => property_exists($jwtPayload, 'email_verified') ? $jwtPayload->email_verified : null,
+						//orcid property for checking two factor authentication status 
+								'amr' => property_exists($jwtPayload, 'amr') ? $jwtPayload->amr : null,
 							];
 						}
 						if (isset($credentials) && key_exists('id', $credentials) && !empty($credentials['id'])) {

diff --git a/handler/OpenIDLoginHandler.inc.php b/handler/OpenIDLoginHandler.inc.php
@@ -51,7 +51,6 @@ function index($args, $request)
 		$legacyLogin = false;
 		$templateMgr = TemplateManager::getManager($request);
 		$context = $request->getContext();
-
 		if (!Validation::isLoggedIn()) {
 			$router = $request->getRouter();
 			$contextId = ($context == null) ? 0 : $context->getId();
@@ -67,7 +66,9 @@ function index($args, $request)
 					foreach ($providerList as $name => $settings) {
 						if (key_exists('authUrl', $settings) && !empty($settings['authUrl'])
 							&& key_exists('clientId', $settings) && !empty($settings['clientId'])) {
-							if (sizeof($providerList) == 1 && !$legacyLogin && !$legacyRegister) {
+				//if there is a single provider, make sure there are no login errors before redirecting
+				$ssoErrorCheck = $request->getUserVar('sso_error');
+				if (sizeof($providerList) == 1 && !$legacyLogin && !$legacyRegister && !isset($ssoErrorCheck) && empty($ssoErrorCheck)) {
 								$request->redirectUrl(
 									$settings['authUrl'].
 									'?client_id='.$settings['clientId'].
@@ -222,6 +223,9 @@ private function _setSSOErrorMessages($ssoError, $templateMgr, $request)
 			case 'cert':
 				$templateMgr->assign('errorMsg', 'plugins.generic.openid.error.openid.cert.desc');
 				break;
+			case '2fa':
+                                $templateMgr->assign('errorMsg', 'plugins.generic.openid.error.openid.orcid2fa.desc');
+				break;
 			case 'disabled':
 				$reason = $request->getUserVar('sso_error_msg');
 				$templateMgr->assign('accountDisabled', true);

diff --git a/locale/en_US/locale.po b/locale/en_US/locale.po
@@ -123,6 +123,9 @@ msgstr "Please enter the label of the login button."
 msgid "plugins.generic.openid.settings.orcid.enable"
 msgstr "ORCID OpenID Connect"
 
+msgid "plugins.generic.openid.settings.orcid.orcid2fa.enable"
+msgstr "Require Two-Factor Authentication for OrcId login"
+
 msgid "plugins.generic.openid.settings.orcid.desc"
 msgstr "Please use this redirect URL (see <a href='https://github.com/ORCID/ORCID-Source/blob/master/orcid-web/ORCID_AUTH_WITH_OPENID_CONNECT.md' target='_blank' rel='noopener'>tutorial</a>):"
 
@@ -237,6 +240,9 @@ msgstr "<strong>An error occurred while receiving your data from the OpenId prov
 msgid "plugins.generic.openid.error.openid.cert.desc"
 msgstr "<strong>An error occurred while validation and extracting your data.</strong><br />The service may not be available right now.<br />Please try again later and <a href='mailto:{$supportEmail}'>contact technical support</a> if the problem still exists."
 
+msgid "plugins.generic.openid.error.openid.orcid2fa.desc"
+msgstr "Orcid two-factor authentication is required for login. Please go to <a href=\"https://orcid.org\">orcid.org</a>, log into your Orcid profile and turn on two-factor authentication in the security section of your account settings."
+
 msgid "plugins.generic.openid.error.openid.disabled.without"
 msgstr "<strong>This account is disabled without any specific reason.</strong><br />Please <a href='mailto:{$supportEmail}'>contact technical support</a> to enable this account."
 

diff --git a/templates/settings.tpl b/templates/settings.tpl
@@ -105,6 +105,10 @@
 						{else}
 							{fbvElement type="hidden" id="provider[{$name}][configUrl]" value=$settings['configUrl'] }
 						{/if}
+						{if $name eq 'orcid'}
+							{fbvElement type="checkbox" name="orcid2fa" id="orcid2fa" checked=$orcid2fa value="1" label="plugins.generic.openid.settings.orcid.orcid2fa.enable"}
+							<div style="clear: both;">&nbsp;</div>
+						{/if}
 						<div>
 							<div><strong>{translate key="plugins.generic.openid.settings.provider.settings"}</strong></div>
 							{fbvElement type="text" id="provider[{$name}][clientId]" value=$provider[{$name}]['clientId'] maxlength="250" label="plugins.generic.openid.settings.clientId.desc" inline=true size=$fbvStyles.size.MEDIUM}