ORCID login shows "undefined doesn't contain the link" error, but accepts invalid credentials to log in

[CentralLibraryBHU]

Describe the bug

After attempting to log in via ORCID, DSpace shows the following error:

undefined doesn't contain the link authn

Despite this failure, if a user then enters any random email and password (e.g., a@a.com / abc) in the standard login form and clicks "Login", the system logs them into the previously attempted ORCID-linked account — without validating the credentials.

This was observed on DSpace 7.x (e.g., 7.6) using Google Chrome.

This behavior poses a significant security risk, as it allows bypassing authentication once an ORCID login flow has been attempted.

To Reproduce

Steps to reproduce the behavior:

1. On the DSpace login page, click Login with ORCID.
2. Complete the ORCID authorization process.
3. The application returns an error: undefined doesn't contain the link authn
4. Now, enter any random text in the email and password fields and click Login.
5. The system logs you into the ORCID-linked account.

Expected behavior

• ORCID login should redirect correctly and securely log the user in.
• The standard email/password login should not allow login with incorrect credentials.
• A failed ORCID login should not leave any authentication session or token that can be misused.

[tdonohue]

@CentralLibraryBHU : I'm not able to reproduce this issue on our demo site (https://demo.dspace.org) or sandbox site (https://sandbox.dspace.org), which makes me suspect it may have already been fixed in a version of DSpace 7 and 8. What version of DSpace 7.6 are you running?

I've tried the following:

1. Login to the ORCID sandbox system on demo.dspace.org (successfully works for an existing login)
2. Logout from DSpace.
3. Login to DSpace using the default password form with an invalid account (like "aabb@cc.com" and password "1234567"
4. Result is that DSpace shows an "Invalid email address or password" error message. No authentication occurs.

It is possible this was fixed in a more recent version of DSpace 7.x and 8.x:

• There were several ORCID related bug fixes in version 7.6.3.
• There were also some authentication related fixes listed in version 7.6.1.

One other thing to be aware of: ORCID is a single sign-on system. This means, even if you logout of DSpace, your browser may still may be logged into ORCID (via a cookie that ORCID has installed into your browser). This is important to consider on shared computer systems. DSpace does not destroy your ORCID session on logout. This is similar to other single sign on systems like Shibboleth...at this time, DSpace will also not destroy your current Shibboleth session.

[CentralLibraryBHU]

I'm using dspace 7.6.1