Skip to content

ORCID login shows "undefined doesn't contain the link" error, but accepts invalid credentials to log inΒ #4300

@CentralLibraryBHU

Description

@CentralLibraryBHU

Describe the bug

After attempting to log in via ORCID, DSpace shows the following error:

undefined doesn't contain the link authn

Despite this failure, if a user then enters any random email and password (e.g., a@a.com / abc) in the standard login form and clicks "Login", the system logs them into the previously attempted ORCID-linked account β€” without validating the credentials.

This was observed on DSpace 7.x (e.g., 7.6) using Google Chrome.

This behavior poses a significant security risk, as it allows bypassing authentication once an ORCID login flow has been attempted.

To Reproduce

Steps to reproduce the behavior:

  1. On the DSpace login page, click Login with ORCID.
  2. Complete the ORCID authorization process.
  3. The application returns an error: undefined doesn't contain the link authn
  4. Now, enter any random text in the email and password fields and click Login.
  5. The system logs you into the ORCID-linked account.

Expected behavior

  • ORCID login should redirect correctly and securely log the user in.
  • The standard email/password login should not allow login with incorrect credentials.
  • A failed ORCID login should not leave any authentication session or token that can be misused.

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugcannot reproduceUnable to reproduce at this time, so the ticket either needs more information or needs closingintegration: ORCIDRelated to integration with ORCID identifier system

    Type

    Projects

    Status

    βœ… Done / Closed

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions