Private Emails from ORCID Obstruct OAuth

[gmeben]

Describe the bug

ORCID does not allow OAuth permission requests to read an ORCID user's email. By default, email visibility settings are set to private on ORCID accounts. This means, more often than not, emails from ORCID accounts will be unable to be matched with emails in Pilcrow accounts. When attempting to authenticate on Pilcrow with an ORCID account, the interaction will be treated like a registration instead of an authentication. When the user attempts to add their email, Pilcrow will report that the email address is already taken.

To Reproduce

1. Register an ORCID account
2. Register a Pilcrow account without OAuth using the same email address as the ORCID account
3. Log out of Pilcrow
4. Visit the login page on Pilcrow
5. Click the button labeled "Log in with ORCID"
6. Fill out the form using the same email address as the ORCID account
7. Note that the email address is considered invalid as a duplicate

Expected behavior
Emails from ORCID accounts should be able to be matched for ORCID OAuth.

Fallback:
When a user's email address is not provided from ORCID, prompt the user with an explanation of what's happening, steps to take on ORCID, and require an acknowledgement before proceeding to the "Continue Registration" form.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

Relevant GitHub issue: ORCID/ORCID-Source#5504

[gmeben]

From MSU's ORCID representative:

If you are wanting to get/read a user’s email address and their email address is set to private in their ORCID record, which is the default, you won’t be able to retrieve it even if your client app is authorized as a trusted org by the user. You can only get the users email address if it is set to public or “trusted parties” visibility. In this case, ORCID recommends not forcing the user to change their privacy setting but rather asking the user to type in their email address. You can read more about this question here: https://groups.google.com/g/orcid-api-users/c/OWCeZFUQrjg

[gmeben]

A proposed solution we discussed last year is to perform two factor authentication (2FA). That could look like:

1. Prompt the user for their email address when it isn't detected in the response
2. Pilcrow sends an email to the supplied email address for the user to verify their email address
3. The user visits the Pilcrow URL embedded within the email to be redirected back to the 2FA endpoint on Pilcrow
4. Pilcrow associates that verified email address with their Pilcrow account

This:

• allows subsequent ORCID authentications to be matched like normal to the correct Pilcrow account
• prevents the account from being hijacked by someone who doesn't have access to the user's email