[CST-5669] Added OrcidToken entity to store orcid access token

dspace-api/src/main/java/org/dspace/app/orcid/OrcidToken.java

@@ -0,0 +1,85 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.orcid;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.FetchType;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.OneToOne;
+import javax.persistence.SequenceGenerator;
+import javax.persistence.Table;
+
+import org.dspace.content.Item;
+import org.dspace.core.ReloadableEntity;
+import org.dspace.eperson.EPerson;
+
+/**
+ * Entity that stores ORCID access-token related to a given eperson or a given
+ * profile item.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+@Entity
+@Table(name = "orcid_token")
+public class OrcidToken implements ReloadableEntity<Integer> {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.SEQUENCE, generator = "orcid_token_id_seq")
+    @SequenceGenerator(name = "orcid_token_id_seq", sequenceName = "orcid_token_id_seq", allocationSize = 1)
+    private Integer id;
+
+    @OneToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "eperson_id")
+    protected EPerson ePerson;
+
+    @OneToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "profile_item_id")
+    private Item profileItem;
+
+    @Column(name = "access_token")
+    private String accessToken;
+
+    @Override
+    public Integer getID() {
+        return id;
+    }
+
+    public void setId(Integer id) {
+        this.id = id;
+    }
+
+    public EPerson getEPerson() {
+        return ePerson;
+    }
+
+    public void setEPerson(EPerson eperson) {
+        this.ePerson = eperson;
+    }
+
+    public Item getProfileItem() {
+        return profileItem;
+    }
+
+    public void setProfileItem(Item profileItem) {
+        this.profileItem = profileItem;
+    }
+
+    public String getAccessToken() {
+        return accessToken;
+    }
+
+    public void setAccessToken(String accessToken) {
+        this.accessToken = accessToken;
+    }
+
+}

dspace-api/src/main/java/org/dspace/app/orcid/dao/OrcidTokenDAO.java

@@ -0,0 +1,45 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.orcid.dao;
+
+import org.dspace.app.orcid.OrcidToken;
+import org.dspace.content.Item;
+import org.dspace.core.Context;
+import org.dspace.core.GenericDAO;
+import org.dspace.eperson.EPerson;
+
+/**
+ * Database Access Object interface class for the OrcidToken object. The
+ * implementation of this class is responsible for all database calls for the
+ * OrcidToken object and is autowired by spring. This class should only be
+ * accessed from a single service and should never be exposed outside of the API
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public interface OrcidTokenDAO extends GenericDAO<OrcidToken> {
+
+    /**
+     * Find an OrcidToken by ePerson.
+     *
+     * @param  context the DSpace context
+     * @param  ePerson the ePerson to search for
+     * @return         the Orcid token, if any
+     */
+    public OrcidToken findByEPerson(Context context, EPerson ePerson);
+
+    /**
+     * Find an OrcidToken by profileItem.
+     *
+     * @param  context     the DSpace context
+     * @param  profileItem the profile item to search for
+     * @return             the Orcid token, if any
+     */
+    public OrcidToken findByProfileItem(Context context, Item profileItem);
+
+}

dspace-api/src/main/java/org/dspace/app/orcid/dao/impl/OrcidTokenDAOImpl.java

@@ -0,0 +1,50 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.orcid.dao.impl;
+
+import java.sql.SQLException;
+import javax.persistence.Query;
+
+import org.dspace.app.orcid.OrcidToken;
+import org.dspace.app.orcid.dao.OrcidTokenDAO;
+import org.dspace.content.Item;
+import org.dspace.core.AbstractHibernateDAO;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+
+/**
+ * Implementation of {@link OrcidTokenDAO}.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class OrcidTokenDAOImpl extends AbstractHibernateDAO<OrcidToken> implements OrcidTokenDAO {
+
+    @Override
+    public OrcidToken findByEPerson(Context context, EPerson ePerson) {
+        try {
+            Query query = createQuery(context, "FROM OrcidToken WHERE ePerson = :ePerson");
+            query.setParameter("ePerson", ePerson);
+            return singleResult(query);
+        } catch (SQLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    public OrcidToken findByProfileItem(Context context, Item profileItem) {
+        try {
+            Query query = createQuery(context, "FROM OrcidToken WHERE profileItem = :profileItem");
+            query.setParameter("profileItem", profileItem);
+            return singleResult(query);
+        } catch (SQLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+}

dspace-api/src/main/java/org/dspace/app/orcid/service/OrcidSynchronizationService.java

@@ -31,10 +31,11 @@ public interface OrcidSynchronizationService {
     /**
      * Check if the given item is linked to an ORCID profile.
      *
-     * @param  item the item to check
+     * @param  context the relevant DSpace Context.
-     * @return      true if the given item is linked to ORCID
+     * @param  item    the item to check
+     * @return         true if the given item is linked to ORCID
      */
-    boolean isLinkedToOrcid(Item item);
+    boolean isLinkedToOrcid(Context context, Item item);
 
     /**
      * Configure the given profile with the data present in the given ORCID token.

dspace-api/src/main/java/org/dspace/app/orcid/service/OrcidTokenService.java

@@ -0,0 +1,84 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.orcid.service;
+
+import org.dspace.app.orcid.OrcidToken;
+import org.dspace.content.Item;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+
+/**
+ * Service that handle {@link OrcidToken} entities.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public interface OrcidTokenService {
+
+    /**
+     * Creates a new OrcidToken entity for the given ePerson and accessToken.
+     *
+     * @param  context     the DSpace context
+     * @param  ePerson     the EPerson
+     * @param  accessToken the access token
+     * @return             the created entity instance
+     */
+    public OrcidToken create(Context context, EPerson ePerson, String accessToken);
+
+    /**
+     * Creates a new OrcidToken entity for the given ePerson and accessToken.
+     *
+     * @param  context     the DSpace context
+     * @param  ePerson     the EPerson
+     * @param  profileItem the profile item
+     * @param  accessToken the access token
+     * @return             the created entity instance
+     */
+    public OrcidToken create(Context context, EPerson ePerson, Item profileItem, String accessToken);
+
+    /**
+     * Find an OrcidToken by ePerson.
+     *
+     * @param  context the DSpace context
+     * @param  ePerson the ePerson to search for
+     * @return         the Orcid token, if any
+     */
+    public OrcidToken findByEPerson(Context context, EPerson ePerson);
+
+    /**
+     * Find an OrcidToken by profileItem.
+     *
+     * @param  context     the DSpace context
+     * @param  profileItem the profile item to search for
+     * @return             the Orcid token, if any
+     */
+    public OrcidToken findByProfileItem(Context context, Item profileItem);
+
+    /**
+     * Delete the given ORCID token entity.
+     *
+     * @param context    the DSpace context
+     * @param orcidToken the ORCID token entity to delete
+     */
+    public void delete(Context context, OrcidToken orcidToken);
+
+    /**
+     * Delete all the ORCID token entities.
+     *
+     * @param context the DSpace context
+     */
+    public void deleteAll(Context context);
+
+    /**
+     * Deletes the ORCID token entity related to the given EPerson.
+     *
+     * @param context the DSpace context
+     * @param ePerson the ePerson for the deletion
+     */
+    public void deleteByEPerson(Context context, EPerson ePerson);
+}

dspace-api/src/main/java/org/dspace/app/orcid/service/impl/OrcidSynchronizationServiceImpl.java

@@ -10,6 +10,7 @@ package org.dspace.app.orcid.service.impl;
 import static java.time.LocalDateTime.now;
 import static java.time.format.DateTimeFormatter.ISO_DATE_TIME;
 import static java.util.List.of;
+import static java.util.Optional.ofNullable;
 import static org.apache.commons.lang3.EnumUtils.isValidEnum;
 import static org.apache.commons.lang3.StringUtils.isBlank;
 import static org.dspace.content.Item.ANY;
@@ -22,9 +23,11 @@ import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import org.apache.commons.codec.binary.StringUtils;
+import org.dspace.app.orcid.OrcidToken;
 import org.dspace.app.orcid.model.OrcidEntityType;
 import org.dspace.app.orcid.model.OrcidTokenResponseDTO;
 import org.dspace.app.orcid.service.OrcidSynchronizationService;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.app.profile.OrcidEntitySyncPreference;
 import org.dspace.app.profile.OrcidProfileDisconnectionMode;
 import org.dspace.app.profile.OrcidProfileSyncPreference;
@@ -56,17 +59,23 @@ public class OrcidSynchronizationServiceImpl implements OrcidSynchronizationServ
     @Autowired
     private EPersonService ePersonService;
 
+    @Autowired
+    private OrcidTokenService orcidTokenService;
+
     @Override
     public void linkProfile(Context context, Item profile, OrcidTokenResponseDTO token) throws SQLException {
 
+        EPerson ePerson = ePersonService.findByProfileItem(context, profile);
+        if (ePerson == null) {
+            throw new IllegalArgumentException(
+                "The given profile item is not related to any eperson. Item id: " + profile.getID());
+        }
+
         String orcid = token.getOrcid();
         String accessToken = token.getAccessToken();
-        String refreshToken = token.getRefreshToken();
         String[] scopes = token.getScopeAsArray();
 
         itemService.setMetadataSingleValue(context, profile, "person", "identifier", "orcid", null, orcid);
-        itemService.setMetadataSingleValue(context, profile, "dspace", "orcid", "access-token", null, accessToken);
-        itemService.setMetadataSingleValue(context, profile, "dspace", "orcid", "refresh-token", null, refreshToken);
         itemService.clearMetadata(context, profile, "dspace", "orcid", "scope", Item.ANY);
         for (String scope : scopes) {
             itemService.addMetadata(context, profile, "dspace", "orcid", "scope", null, scope);
@@ -77,9 +86,10 @@ public class OrcidSynchronizationServiceImpl implements OrcidSynchronizationServ
             itemService.setMetadataSingleValue(context, profile, "dspace", "orcid", "authenticated", null, currentDate);
         }
 
-        EPerson ePerson = ePersonService.findByProfileItem(context, profile);
+        setAccessToken(context, profile, ePerson, accessToken);
+
         EPerson ePersonByOrcid = ePersonService.findByNetid(context, orcid);
-        if (ePerson != null && ePersonByOrcid == null && isBlank(ePerson.getNetid())) {
+        if (ePersonByOrcid == null && isBlank(ePerson.getNetid())) {
             ePerson.setNetid(orcid);
             updateEPerson(context, ePerson);
         }
@@ -91,11 +101,18 @@ public class OrcidSynchronizationServiceImpl implements OrcidSynchronizationServ
     @Override
     public void unlinkProfile(Context context, Item profile) throws SQLException {
 
+        EPerson ePerson = ePersonService.findByProfileItem(context, profile);
+        if (ePerson == null) {
+            throw new IllegalArgumentException(
+                "The given profile item is not related to any eperson. Item id: " + profile.getID());
+        }
+
         itemService.clearMetadata(context, profile, "person", "identifier", "orcid", Item.ANY);
-        itemService.clearMetadata(context, profile, "dspace", "orcid", "access-token", Item.ANY);
-        itemService.clearMetadata(context, profile, "dspace", "orcid", "refresh-token", Item.ANY);
         itemService.clearMetadata(context, profile, "dspace", "orcid", "scope", Item.ANY);
         itemService.clearMetadata(context, profile, "dspace", "orcid", "authenticated", Item.ANY);
+
+        orcidTokenService.deleteByEPerson(context, ePerson);
+
         updateItem(context, profile);
 
     }
@@ -123,7 +140,7 @@ public class OrcidSynchronizationServiceImpl implements OrcidSynchronizationServ
     public boolean setSynchronizationMode(Context context, Item profile, OrcidSynchronizationMode value)
         throws SQLException {
 
-        if (!isLinkedToOrcid(profile)) {
+        if (!isLinkedToOrcid(context, profile)) {
             throw new IllegalArgumentException("The given profile cannot be configured for the ORCID "
                                                    + "synchronization because it is not linked to any ORCID account: "
                                                    + profile.getID());
@@ -167,8 +184,8 @@ public class OrcidSynchronizationServiceImpl implements OrcidSynchronizationServ
     }
 
     @Override
-    public boolean isLinkedToOrcid(Item item) {
+    public boolean isLinkedToOrcid(Context context, Item item) {
-        return getOrcidAccessToken(item).isPresent() && getOrcid(item).isPresent();
+        return getOrcidAccessToken(context, item).isPresent() && getOrcid(item).isPresent();
     }
 
     @Override
@@ -180,11 +197,21 @@ public class OrcidSynchronizationServiceImpl implements OrcidSynchronizationServ
         return OrcidProfileDisconnectionMode.fromString(value);
     }
 
+    private void setAccessToken(Context context, Item profile, EPerson ePerson, String accessToken) {
+        OrcidToken orcidToken = orcidTokenService.findByEPerson(context, ePerson);
+        if (orcidToken == null) {
+            orcidTokenService.create(context, ePerson, profile, accessToken);
+        } else {
+            orcidToken.setProfileItem(profile);
+            orcidToken.setAccessToken(accessToken);
+        }
+    }
+
     private boolean updatePreferenceForSynchronizingWithOrcid(Context context, Item profile,
                                                               String metadataQualifier,
                                                               List<String> values) throws SQLException {
 
-        if (!isLinkedToOrcid(profile)) {
+        if (!isLinkedToOrcid(context, profile)) {
             throw new IllegalArgumentException("The given profile cannot be configured for the ORCID "
                                                    + "synchronization because it is not linked to any ORCID account: "
                                                    + profile.getID());
@@ -211,9 +238,9 @@ public class OrcidSynchronizationServiceImpl implements OrcidSynchronizationServ
         return new HashSet<>(firstList).equals(new HashSet<>(secondList));
     }
 
-    private Optional<String> getOrcidAccessToken(Item item) {
+    private Optional<String> getOrcidAccessToken(Context context, Item item) {
-        return getMetadataValue(item, "dspace.orcid.access-token")
+        return ofNullable(orcidTokenService.findByProfileItem(context, item))
-            .map(metadataValue -> metadataValue.getValue());
+            .map(orcidToken -> orcidToken.getAccessToken());
     }
 
     public Optional<String> getOrcid(Item item) {

dspace-api/src/main/java/org/dspace/app/orcid/service/impl/OrcidTokenServiceImpl.java

@@ -0,0 +1,91 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.orcid.service.impl;
+
+import java.sql.SQLException;
+import java.util.List;
+
+import org.dspace.app.orcid.OrcidToken;
+import org.dspace.app.orcid.dao.OrcidTokenDAO;
+import org.dspace.app.orcid.service.OrcidTokenService;
+import org.dspace.content.Item;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * Implementation of {@link OrcidTokenService}.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class OrcidTokenServiceImpl implements OrcidTokenService {
+
+    @Autowired
+    private OrcidTokenDAO orcidTokenDAO;
+
+    @Override
+    public OrcidToken create(Context context, EPerson ePerson, String accessToken) {
+        return create(context, ePerson, null, accessToken);
+    }
+
+    @Override
+    public OrcidToken create(Context context, EPerson ePerson, Item profileItem, String accessToken) {
+        OrcidToken orcidToken = new OrcidToken();
+        orcidToken.setAccessToken(accessToken);
+        orcidToken.setEPerson(ePerson);
+        orcidToken.setProfileItem(profileItem);
+        try {
+            return orcidTokenDAO.create(context, orcidToken);
+        } catch (SQLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    public OrcidToken findByEPerson(Context context, EPerson ePerson) {
+        return orcidTokenDAO.findByEPerson(context, ePerson);
+    }
+
+    @Override
+    public OrcidToken findByProfileItem(Context context, Item profileItem) {
+        return orcidTokenDAO.findByProfileItem(context, profileItem);
+    }
+
+    @Override
+    public void delete(Context context, OrcidToken orcidToken) {
+        try {
+            orcidTokenDAO.delete(context, orcidToken);
+        } catch (SQLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    public void deleteAll(Context context) {
+        try {
+
+            List<OrcidToken> tokens = orcidTokenDAO.findAll(context, OrcidToken.class);
+            for (OrcidToken token : tokens) {
+                delete(context, token);
+            }
+
+        } catch (SQLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    public void deleteByEPerson(Context context, EPerson ePerson) {
+        OrcidToken orcidToken = findByEPerson(context, ePerson);
+        if (orcidToken != null) {
+            delete(context, orcidToken);
+        }
+    }
+
+}

dspace-api/src/main/java/org/dspace/app/profile/OrcidMetadataCopyingAction.java

@@ -17,6 +17,8 @@ import java.util.List;
 import java.util.stream.Collectors;
 
 import org.apache.commons.collections.CollectionUtils;
+import org.dspace.app.orcid.OrcidToken;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.app.profile.service.AfterResearcherProfileCreationAction;
 import org.dspace.content.Item;
 import org.dspace.content.MetadataFieldName;
@@ -45,17 +47,23 @@ public class OrcidMetadataCopyingAction implements AfterResearcherProfileCreatio
     @Autowired
     private EPersonService ePersonService;
 
+    @Autowired
+    private OrcidTokenService orcidTokenService;
+
     @Override
     public void perform(Context context, ResearcherProfile researcherProfile, EPerson owner) throws SQLException {
 
         Item item = researcherProfile.getItem();
 
         copyMetadataValues(context, owner, "eperson.orcid", item, "person.identifier.orcid");
-        copyMetadataValues(context, owner, "eperson.orcid.access-token", item, "dspace.orcid.access-token");
-        copyMetadataValues(context, owner, "eperson.orcid.refresh-token", item, "dspace.orcid.refresh-token");
         copyMetadataValues(context, owner, "eperson.orcid.scope", item, "dspace.orcid.scope");
 
-        if (isLinkedToOrcid(owner)) {
+        OrcidToken orcidToken = orcidTokenService.findByEPerson(context, owner);
+        if (orcidToken != null) {
+            orcidToken.setProfileItem(item);
+        }
+
+        if (isLinkedToOrcid(owner, orcidToken)) {
             String currentDate = ISO_DATE_TIME.format(now());
             itemService.setMetadataSingleValue(context, item, "dspace", "orcid", "authenticated", null, currentDate);
         }
@@ -76,9 +84,8 @@ public class OrcidMetadataCopyingAction implements AfterResearcherProfileCreatio
 
     }
 
-    private boolean isLinkedToOrcid(EPerson ePerson) {
+    private boolean isLinkedToOrcid(EPerson ePerson, OrcidToken orcidToken) {
-        return isNotEmpty(getMetadataValues(ePerson, "eperson.orcid"))
+        return isNotEmpty(getMetadataValues(ePerson, "eperson.orcid")) && orcidToken != null;
-            && isNotEmpty(getMetadataValues(ePerson, "eperson.orcid.access-token"));
     }
 
     private List<String> getMetadataValues(EPerson ePerson, String metadataField) {

dspace-api/src/main/java/org/dspace/authenticate/OrcidAuthenticationBean.java

@@ -23,10 +23,12 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.dspace.app.orcid.OrcidToken;
 import org.dspace.app.orcid.client.OrcidClient;
 import org.dspace.app.orcid.client.OrcidConfiguration;
 import org.dspace.app.orcid.model.OrcidTokenResponseDTO;
 import org.dspace.app.orcid.service.OrcidSynchronizationService;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.app.profile.ResearcherProfile;
 import org.dspace.app.profile.service.ResearcherProfileService;
 import org.dspace.authorize.AuthorizeException;
@@ -73,6 +75,9 @@ public class OrcidAuthenticationBean implements AuthenticationMethod {
     @Autowired
     private OrcidSynchronizationService orcidSynchronizationService;
 
+    @Autowired
+    private OrcidTokenService orcidTokenService;
+
     @Override
     public int authenticate(Context context, String username, String password, String realm, HttpServletRequest request)
         throws SQLException {
@@ -243,17 +248,21 @@ public class OrcidAuthenticationBean implements AuthenticationMethod {
 
         String orcid = token.getOrcid();
         String accessToken = token.getAccessToken();
-        String refreshToken = token.getRefreshToken();
         String[] scopes = token.getScopeAsArray();
 
         ePersonService.setMetadataSingleValue(context, person, "eperson", "orcid", null, null, orcid);
-        ePersonService.setMetadataSingleValue(context, person, "eperson", "orcid", "access-token", null, accessToken);
-        ePersonService.setMetadataSingleValue(context, person, "eperson", "orcid", "refresh-token", null, refreshToken);
         ePersonService.clearMetadata(context, person, "eperson", "orcid", "scope", ANY);
         for (String scope : scopes) {
             ePersonService.addMetadata(context, person, "eperson", "orcid", "scope", null, scope);
         }
 
+        OrcidToken orcidToken = orcidTokenService.findByEPerson(context, person);
+        if (orcidToken == null) {
+            orcidTokenService.create(context, person, accessToken);
+        } else {
+            orcidToken.setAccessToken(accessToken);
+        }
+
     }
 
     private Person getPersonFromOrcid(OrcidTokenResponseDTO token) {

dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java

@@ -26,6 +26,8 @@ import java.util.stream.Stream;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.orcid.OrcidToken;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.app.util.AuthorizeUtil;
 import org.dspace.authorize.AuthorizeConfiguration;
 import org.dspace.authorize.AuthorizeException;
@@ -120,6 +122,9 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
     @Autowired(required = true)
     private RelationshipMetadataService relationshipMetadataService;
 
+    @Autowired
+    private OrcidTokenService orcidTokenService;
+
     protected ItemServiceImpl() {
         super();
     }
@@ -744,6 +749,11 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
             harvestedItemService.delete(context, hi);
         }
 
+        OrcidToken orcidToken = orcidTokenService.findByProfileItem(context, item);
+        if (orcidToken != null) {
+            orcidToken.setProfileItem(null);
+        }
+
         //Only clear collections after we have removed everything else from the item
         item.clearCollections();
         item.setOwningCollection(null);

dspace-api/src/main/java/org/dspace/eperson/EPersonServiceImpl.java

@@ -25,6 +25,7 @@ import org.apache.commons.codec.DecoderException;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.authorize.factory.AuthorizeServiceFactory;
 import org.dspace.authorize.service.AuthorizeService;
@@ -100,6 +101,8 @@ public class EPersonServiceImpl extends DSpaceObjectServiceImpl<EPerson> impleme
     protected VersionDAO versionDAO;
     @Autowired(required = true)
     protected ClaimedTaskService claimedTaskService;
+    @Autowired
+    protected OrcidTokenService orcidTokenService;
 
     protected EPersonServiceImpl() {
         super();
@@ -383,6 +386,8 @@ public class EPersonServiceImpl extends DSpaceObjectServiceImpl<EPerson> impleme
             group.getMembers().remove(ePerson);
         }
 
+        orcidTokenService.deleteByEPerson(context, ePerson);
+
         // Remove any subscriptions
         subscribeService.deleteByEPerson(context, ePerson);
 

dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/h2/V7.3_2022.05.16__Orcid_token_table.sql

@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+-----------------------------------------------------------------------------------
+-- Create table for ORCID access tokens
+-----------------------------------------------------------------------------------
+
+CREATE SEQUENCE orcid_token_id_seq;
+
+CREATE TABLE orcid_token
+(
+    id INTEGER NOT NULL,
+    eperson_id UUID NOT NULL UNIQUE,
+    profile_item_id UUID,
+    access_token VARCHAR(100) NOT NULL,
+    CONSTRAINT orcid_token_pkey PRIMARY KEY (id),
+    CONSTRAINT orcid_token_eperson_id_fkey FOREIGN KEY (eperson_id) REFERENCES eperson (uuid),
+    CONSTRAINT orcid_token_profile_item_id_fkey FOREIGN KEY (profile_item_id) REFERENCES item (uuid)
+);

dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/oracle/V7.3_2022.05.16__Orcid_token_table.sql

@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+-----------------------------------------------------------------------------------
+-- Create table for ORCID access tokens
+-----------------------------------------------------------------------------------
+
+CREATE SEQUENCE orcid_token_id_seq;
+
+CREATE TABLE orcid_token
+(
+    id INTEGER NOT NULL,
+    eperson_id RAW(16) NOT NULL UNIQUE,
+    profile_item_id RAW(16),
+    access_token VARCHAR2(100) NOT NULL,
+    CONSTRAINT orcid_token_pkey PRIMARY KEY (id),
+    CONSTRAINT orcid_token_eperson_id_fkey FOREIGN KEY (eperson_id) REFERENCES eperson (uuid),
+    CONSTRAINT orcid_token_profile_item_id_fkey FOREIGN KEY (profile_item_id) REFERENCES item (uuid)
+);

dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/postgres/V7.3_2022.05.16__Orcid_token_table.sql

@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+-----------------------------------------------------------------------------------
+-- Create table for ORCID access tokens
+-----------------------------------------------------------------------------------
+
+CREATE SEQUENCE orcid_token_id_seq;
+
+CREATE TABLE orcid_token
+(
+    id INTEGER NOT NULL,
+    eperson_id uuid NOT NULL UNIQUE,
+    profile_item_id uuid,
+    access_token VARCHAR(100) NOT NULL,
+    CONSTRAINT orcid_token_pkey PRIMARY KEY (id),
+    CONSTRAINT orcid_token_eperson_id_fkey FOREIGN KEY (eperson_id) REFERENCES eperson (uuid),
+    CONSTRAINT orcid_token_profile_item_id_fkey FOREIGN KEY (profile_item_id) REFERENCES item (uuid)
+);

dspace-api/src/test/java/org/dspace/builder/AbstractBuilder.java

@@ -13,6 +13,7 @@ import java.util.List;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.app.requestitem.factory.RequestItemServiceFactory;
 import org.dspace.app.requestitem.service.RequestItemService;
 import org.dspace.authorize.AuthorizeException;
@@ -45,6 +46,7 @@ import org.dspace.eperson.service.RegistrationDataService;
 import org.dspace.scripts.factory.ScriptServiceFactory;
 import org.dspace.scripts.service.ProcessService;
 import org.dspace.services.factory.DSpaceServicesFactory;
+import org.dspace.utils.DSpace;
 import org.dspace.versioning.factory.VersionServiceFactory;
 import org.dspace.versioning.service.VersionHistoryService;
 import org.dspace.versioning.service.VersioningService;
@@ -95,6 +97,7 @@ public abstract class AbstractBuilder<T, S> {
     static ProcessService processService;
     static RequestItemService requestItemService;
     static VersioningService versioningService;
+    static OrcidTokenService orcidTokenService;
 
     protected Context context;
 
@@ -151,6 +154,7 @@ public abstract class AbstractBuilder<T, S> {
         inProgressUserService = XmlWorkflowServiceFactory.getInstance().getInProgressUserService();
         poolTaskService = XmlWorkflowServiceFactory.getInstance().getPoolTaskService();
         workflowItemRoleService = XmlWorkflowServiceFactory.getInstance().getWorkflowItemRoleService();
+        orcidTokenService = new DSpace().getSingletonService(OrcidTokenService.class);
     }
 
 
@@ -183,6 +187,7 @@ public abstract class AbstractBuilder<T, S> {
         processService = null;
         requestItemService = null;
         versioningService = null;
+        orcidTokenService = null;
 
     }
 

dspace-api/src/test/java/org/dspace/builder/EPersonBuilder.java

@@ -134,16 +134,6 @@ public class EPersonBuilder extends AbstractDSpaceObjectBuilder<EPerson> {
         return this;
     }
 
-    public EPersonBuilder withOrcidAccessToken(final String accessToken) {
-        setMetadataSingleValue(ePerson, "eperson", "orcid", "access-token", accessToken);
-        return this;
-    }
-
-    public EPersonBuilder withOrcidRefreshToken(final String refreshToken) {
-        setMetadataSingleValue(ePerson, "eperson", "orcid", "refresh-token", refreshToken);
-        return this;
-    }
-
     public EPersonBuilder withOrcidScope(final String scope) {
         addMetadataValue(ePerson, "eperson", "orcid", "scope", scope);
         return this;

dspace-api/src/test/java/org/dspace/builder/OrcidTokenBuilder.java

@@ -0,0 +1,76 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.builder;
+
+import java.sql.SQLException;
+
+import org.dspace.app.orcid.OrcidToken;
+import org.dspace.app.orcid.service.OrcidTokenService;
+import org.dspace.authorize.AuthorizeException;
+import org.dspace.content.Item;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+
+/**
+ * Builder for {@link OrcidToken} entities.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class OrcidTokenBuilder extends AbstractBuilder<OrcidToken, OrcidTokenService> {
+
+    private OrcidToken orcidToken;
+
+    protected OrcidTokenBuilder(Context context) {
+        super(context);
+    }
+
+    public static OrcidTokenBuilder create(Context context, EPerson ePerson, String accessToken) {
+        OrcidTokenBuilder builder = new OrcidTokenBuilder(context);
+        builder.create(ePerson, accessToken);
+        return builder;
+    }
+
+    private void create(EPerson ePerson, String accessToken) {
+        orcidTokenService.create(context, ePerson, accessToken);
+    }
+
+    public OrcidTokenBuilder withProfileItem(Item profileItem) {
+        orcidToken.setProfileItem(profileItem);
+        return this;
+    }
+
+    @Override
+    public OrcidToken build() throws SQLException, AuthorizeException {
+        return orcidToken;
+    }
+
+    @Override
+    public void delete(Context c, OrcidToken orcidToken) throws Exception {
+        orcidTokenService.delete(c, orcidToken);
+    }
+
+    @Override
+    public void cleanup() throws Exception {
+        try (Context context = new Context()) {
+            context.setDispatcher("noindex");
+            context.turnOffAuthorisationSystem();
+            orcidToken = context.reloadEntity(orcidToken);
+            if (orcidToken != null) {
+                delete(context, orcidToken);
+                context.complete();
+            }
+        }
+    }
+
+    @Override
+    protected OrcidTokenService getService() {
+        return orcidTokenService;
+    }
+
+}

dspace-api/src/test/java/org/dspace/builder/util/AbstractBuilderCleanupUtil.java

@@ -25,6 +25,7 @@ import org.dspace.builder.GroupBuilder;
 import org.dspace.builder.ItemBuilder;
 import org.dspace.builder.MetadataFieldBuilder;
 import org.dspace.builder.MetadataSchemaBuilder;
+import org.dspace.builder.OrcidTokenBuilder;
 import org.dspace.builder.PoolTaskBuilder;
 import org.dspace.builder.ProcessBuilder;
 import org.dspace.builder.RelationshipBuilder;
@@ -56,6 +57,7 @@ public class AbstractBuilderCleanupUtil {
     }
 
     private void initMap() {
+        map.put(OrcidTokenBuilder.class.getName(), new ArrayList<>());
         map.put(ResourcePolicyBuilder.class.getName(), new ArrayList<>());
         map.put(RelationshipBuilder.class.getName(), new ArrayList<>());
         map.put(RequestItemBuilder.class.getName(), new ArrayList<>());

dspace-server-webapp/src/main/java/org/dspace/app/rest/converter/ResearcherProfileConverter.java

@@ -22,6 +22,8 @@ import org.dspace.app.rest.model.ResearcherProfileRest;
 import org.dspace.app.rest.model.ResearcherProfileRest.OrcidSynchronizationRest;
 import org.dspace.app.rest.projection.Projection;
 import org.dspace.content.Item;
+import org.dspace.core.Context;
+import org.dspace.web.ContextUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -48,7 +50,9 @@ public class ResearcherProfileConverter implements DSpaceConverter<ResearcherPro
 
         Item item = profile.getItem();
 
-        if (orcidSynchronizationService.isLinkedToOrcid(item)) {
+        Context context = ContextUtil.obtainCurrentRequestContext();
+
+        if (orcidSynchronizationService.isLinkedToOrcid(context, item)) {
             profile.getOrcid().ifPresent(researcherProfileRest::setOrcid);
 
             OrcidSynchronizationRest orcidSynchronization = new OrcidSynchronizationRest();

dspace-server-webapp/src/test/java/org/dspace/app/rest/OrcidLoginFilterIT.java

@@ -36,9 +36,11 @@ import javax.servlet.http.Cookie;
 import com.jayway.jsonpath.JsonPath;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jwt.SignedJWT;
+import org.dspace.app.orcid.OrcidToken;
 import org.dspace.app.orcid.client.OrcidClient;
 import org.dspace.app.orcid.exception.OrcidClientException;
 import org.dspace.app.orcid.model.OrcidTokenResponseDTO;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.app.rest.model.AuthnRest;
 import org.dspace.app.rest.security.OrcidLoginFilter;
 import org.dspace.app.rest.security.jwt.EPersonClaimProvider;
@@ -81,7 +83,6 @@ public class OrcidLoginFilterIT extends AbstractControllerIntegrationTest {
     private final static String CODE = "123456";
 
     private final static String ACCESS_TOKEN = "c41e37e5-c2de-4177-91d6-ed9e9d1f31bf";
-    private final static String REFRESH_TOKEN = "0062a9eb-d4ec-4d94-9491-95dd75376d3e";
     private final static String[] ORCID_SCOPES = { "FirstScope", "SecondScope" };
 
     private OrcidClient originalOrcidClient;
@@ -102,6 +103,9 @@ public class OrcidLoginFilterIT extends AbstractControllerIntegrationTest {
     @Autowired
     private ItemService itemService;
 
+    @Autowired
+    private OrcidTokenService orcidTokenService;
+
     @Before
     public void setup() {
         originalOrcidClient = orcidAuthentication.getOrcidClient();
@@ -120,6 +124,7 @@ public class OrcidLoginFilterIT extends AbstractControllerIntegrationTest {
             ePersonService.delete(context, createdEperson);
             context.restoreAuthSystemState();
         }
+        orcidTokenService.deleteAll(context);
     }
 
     @Test
@@ -157,10 +162,10 @@ public class OrcidLoginFilterIT extends AbstractControllerIntegrationTest {
         assertThat(createdEperson.getNetid(), equalTo(ORCID));
         assertThat(createdEperson.canLogIn(), equalTo(true));
         assertThat(createdEperson.getMetadata(), hasItem(with("eperson.orcid", ORCID)));
-        assertThat(createdEperson.getMetadata(), hasItem(with("eperson.orcid.access-token", ACCESS_TOKEN)));
-        assertThat(createdEperson.getMetadata(), hasItem(with("eperson.orcid.refresh-token", REFRESH_TOKEN)));
         assertThat(createdEperson.getMetadata(), hasItem(with("eperson.orcid.scope", ORCID_SCOPES[0], 0)));
         assertThat(createdEperson.getMetadata(), hasItem(with("eperson.orcid.scope", ORCID_SCOPES[1], 1)));
+
+        assertThat(getOrcidAccessToken(createdEperson), is(ACCESS_TOKEN));
     }
 
     @Test
@@ -441,11 +446,11 @@ public class OrcidLoginFilterIT extends AbstractControllerIntegrationTest {
         Item profileItem = itemService.find(context, UUID.fromString(profileItemId));
         assertThat(profileItem, notNullValue());
         assertThat(profileItem.getMetadata(), hasItem(with("person.identifier.orcid", ORCID)));
-        assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.access-token", ACCESS_TOKEN)));
-        assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.refresh-token", REFRESH_TOKEN)));
         assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.scope", ORCID_SCOPES[0], 0)));
         assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.scope", ORCID_SCOPES[1], 1)));
 
+        assertThat(getOrcidAccessToken(profileItem), is(ACCESS_TOKEN));
+
     }
 
     @Test
@@ -512,7 +517,6 @@ public class OrcidLoginFilterIT extends AbstractControllerIntegrationTest {
         token.setAccessToken(accessToken);
         token.setOrcid(orcid);
         token.setTokenType("Bearer");
-        token.setRefreshToken(REFRESH_TOKEN);
         token.setName("Test User");
         token.setScope(String.join(" ", ORCID_SCOPES));
         return token;
@@ -558,4 +562,14 @@ public class OrcidLoginFilterIT extends AbstractControllerIntegrationTest {
 
         return JsonPath.read(result.getResponse().getContentAsString(), "$.id");
     }
+
+    private String getOrcidAccessToken(EPerson ePerson) {
+        OrcidToken orcidToken = orcidTokenService.findByEPerson(context, ePerson);
+        return orcidToken != null ? orcidToken.getAccessToken() : null;
+    }
+
+    private String getOrcidAccessToken(Item item) {
+        OrcidToken orcidToken = orcidTokenService.findByProfileItem(context, item);
+        return orcidToken != null ? orcidToken.getAccessToken() : null;
+    }
 }

dspace-server-webapp/src/test/java/org/dspace/app/rest/OrcidRestControllerIT.java

@@ -22,8 +22,10 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.dspace.app.orcid.OrcidToken;
 import org.dspace.app.orcid.client.OrcidClient;
 import org.dspace.app.orcid.model.OrcidTokenResponseDTO;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.app.rest.model.RestModel;
 import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
 import org.dspace.builder.CollectionBuilder;
@@ -51,7 +53,6 @@ public class OrcidRestControllerIT extends AbstractControllerIntegrationTest {
     private final static String CODE = "123456";
 
     private final static String ACCESS_TOKEN = "c41e37e5-c2de-4177-91d6-ed9e9d1f31bf";
-    private final static String REFRESH_TOKEN = "0062a9eb-d4ec-4d94-9491-95dd75376d3e";
     private final static String[] ORCID_SCOPES = { "FirstScope", "SecondScope" };
     @Autowired
     private OrcidClient orcidClient;
@@ -64,6 +65,9 @@ public class OrcidRestControllerIT extends AbstractControllerIntegrationTest {
     @Autowired
     private ConfigurationService configurationService;
 
+    @Autowired
+    private OrcidTokenService orcidTokenService;
+
     private Collection profileCollection;
 
     private EPerson user;
@@ -95,6 +99,7 @@ public class OrcidRestControllerIT extends AbstractControllerIntegrationTest {
     @After
     public void after() throws Exception {
         orcidRestController.setOrcidClient(orcidClient);
+        orcidTokenService.deleteAll(context);
     }
 
     @Test
@@ -123,11 +128,11 @@ public class OrcidRestControllerIT extends AbstractControllerIntegrationTest {
         profileItem = context.reloadEntity(profileItem);
         assertThat(profileItem, notNullValue());
         assertThat(profileItem.getMetadata(), hasItem(with("person.identifier.orcid", ORCID)));
-        assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.access-token", ACCESS_TOKEN)));
-        assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.refresh-token", REFRESH_TOKEN)));
         assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.scope", ORCID_SCOPES[0], 0)));
         assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.scope", ORCID_SCOPES[1], 1)));
 
+        assertThat(getOrcidAccessToken(profileItem), is(ACCESS_TOKEN));
+
         user = context.reloadEntity(user);
         assertThat(user.getNetid(), is(ORCID));
     }
@@ -165,11 +170,11 @@ public class OrcidRestControllerIT extends AbstractControllerIntegrationTest {
         profileItem = context.reloadEntity(profileItem);
         assertThat(profileItem, notNullValue());
         assertThat(profileItem.getMetadata(), hasItem(with("person.identifier.orcid", ORCID)));
-        assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.access-token", ACCESS_TOKEN)));
-        assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.refresh-token", REFRESH_TOKEN)));
         assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.scope", ORCID_SCOPES[0], 0)));
         assertThat(profileItem.getMetadata(), hasItem(with("dspace.orcid.scope", ORCID_SCOPES[1], 1)));
 
+        assertThat(getOrcidAccessToken(profileItem), is(ACCESS_TOKEN));
+
         user = context.reloadEntity(user);
         assertThat(user.getNetid(), nullValue());
     }
@@ -255,9 +260,13 @@ public class OrcidRestControllerIT extends AbstractControllerIntegrationTest {
         token.setAccessToken(accessToken);
         token.setOrcid(orcid);
         token.setTokenType("Bearer");
-        token.setRefreshToken(REFRESH_TOKEN);
         token.setName("Test User");
         token.setScope(String.join(" ", ORCID_SCOPES));
         return token;
     }
+
+    private String getOrcidAccessToken(Item item) {
+        OrcidToken orcidToken = orcidTokenService.findByProfileItem(context, item);
+        return orcidToken != null ? orcidToken.getAccessToken() : null;
+    }
 }

dspace-server-webapp/src/test/java/org/dspace/app/rest/ResearcherProfileRestRepositoryIT.java

@@ -24,6 +24,7 @@ import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.nullValue;
 import static org.junit.Assert.assertEquals;
 import static org.springframework.data.rest.webmvc.RestMediaTypes.TEXT_URI_LIST;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
@@ -40,6 +41,8 @@ import java.util.UUID;
 import java.util.concurrent.atomic.AtomicReference;
 
 import com.jayway.jsonpath.JsonPath;
+import org.dspace.app.orcid.OrcidToken;
+import org.dspace.app.orcid.service.OrcidTokenService;
 import org.dspace.app.rest.model.MetadataValueRest;
 import org.dspace.app.rest.model.patch.AddOperation;
 import org.dspace.app.rest.model.patch.Operation;
@@ -51,6 +54,7 @@ import org.dspace.builder.CollectionBuilder;
 import org.dspace.builder.CommunityBuilder;
 import org.dspace.builder.EPersonBuilder;
 import org.dspace.builder.ItemBuilder;
+import org.dspace.builder.OrcidTokenBuilder;
 import org.dspace.content.Collection;
 import org.dspace.content.Item;
 import org.dspace.content.MetadataValue;
@@ -58,6 +62,7 @@ import org.dspace.content.service.ItemService;
 import org.dspace.eperson.EPerson;
 import org.dspace.services.ConfigurationService;
 import org.dspace.util.UUIDUtils;
+import org.junit.After;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
@@ -77,6 +82,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
     @Autowired
     private ItemService itemService;
 
+    @Autowired
+    private OrcidTokenService orcidTokenService;
+
     private EPerson user;
 
     private EPerson anotherUser;
@@ -121,6 +129,11 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
 
     }
 
+    @After
+    public void after() {
+        orcidTokenService.deleteAll(context);
+    }
+
     /**
      * Verify that the findById endpoint returns the own profile.
      *
@@ -1160,12 +1173,12 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withEmail("test@email.it")
                                         .withPassword(password)
                                         .withNameInMetadata("Test", "User")
-                                        .withOrcidAccessToken("af097328-ac1c-4a3e-9eb4-069897874910")
-                                        .withOrcidRefreshToken("32aadae0-829e-49c5-824f-ccaf4d1913e4")
                                         .withOrcidScope("/first-scope")
                                         .withOrcidScope("/second-scope")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "af097328-ac1c-4a3e-9eb4-069897874910").build();
+
         context.restoreAuthSystemState();
 
         String ePersonId = ePerson.getID().toString();
@@ -1193,11 +1206,11 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
 
         List<MetadataValue> metadata = profileItem.getMetadata();
         assertThat(metadata, hasItem(with("person.identifier.orcid", "0000-1111-2222-3333")));
-        assertThat(metadata, hasItem(with("dspace.orcid.access-token", "af097328-ac1c-4a3e-9eb4-069897874910")));
-        assertThat(metadata, hasItem(with("dspace.orcid.refresh-token", "32aadae0-829e-49c5-824f-ccaf4d1913e4")));
         assertThat(metadata, hasItem(with("dspace.orcid.scope", "/first-scope", 0)));
         assertThat(metadata, hasItem(with("dspace.orcid.scope", "/second-scope", 1)));
 
+        assertThat(getOrcidAccessToken(profileItem), is("af097328-ac1c-4a3e-9eb4-069897874910"));
+
     }
 
     @Test
@@ -1211,12 +1224,12 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withEmail("test@email.it")
                                         .withPassword(password)
                                         .withNameInMetadata("Test", "User")
-                                        .withOrcidAccessToken("af097328-ac1c-4a3e-9eb4-069897874910")
-                                        .withOrcidRefreshToken("32aadae0-829e-49c5-824f-ccaf4d1913e4")
                                         .withOrcidScope("/first-scope")
                                         .withOrcidScope("/second-scope")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "af097328-ac1c-4a3e-9eb4-069897874910").build();
+
         context.restoreAuthSystemState();
 
         String ePersonId = ePerson.getID().toString();
@@ -1258,12 +1271,12 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withEmail("test@email.it")
                                         .withPassword(password)
                                         .withNameInMetadata("Test", "User")
-                                        .withOrcidAccessToken("af097328-ac1c-4a3e-9eb4-069897874910")
-                                        .withOrcidRefreshToken("32aadae0-829e-49c5-824f-ccaf4d1913e4")
                                         .withOrcidScope("/first-scope")
                                         .withOrcidScope("/second-scope")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "af097328-ac1c-4a3e-9eb4-069897874910").build();
+
         context.restoreAuthSystemState();
 
         String ePersonId = ePerson.getID().toString();
@@ -1305,12 +1318,12 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withEmail("test@email.it")
                                         .withPassword(password)
                                         .withNameInMetadata("Test", "User")
-                                        .withOrcidAccessToken("af097328-ac1c-4a3e-9eb4-069897874910")
-                                        .withOrcidRefreshToken("32aadae0-829e-49c5-824f-ccaf4d1913e4")
                                         .withOrcidScope("/first-scope")
                                         .withOrcidScope("/second-scope")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "af097328-ac1c-4a3e-9eb4-069897874910").build();
+
         context.restoreAuthSystemState();
 
         String ePersonId = ePerson.getID().toString();
@@ -1354,12 +1367,12 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withEmail("test@email.it")
                                         .withPassword(password)
                                         .withNameInMetadata("Test", "User")
-                                        .withOrcidAccessToken("af097328-ac1c-4a3e-9eb4-069897874910")
-                                        .withOrcidRefreshToken("32aadae0-829e-49c5-824f-ccaf4d1913e4")
                                         .withOrcidScope("/first-scope")
                                         .withOrcidScope("/second-scope")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "af097328-ac1c-4a3e-9eb4-069897874910").build();
+
         context.restoreAuthSystemState();
 
         String ePersonId = ePerson.getID().toString();
@@ -1412,12 +1425,12 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withEmail("test@email.it")
                                         .withPassword(password)
                                         .withNameInMetadata("Test", "User")
-                                        .withOrcidAccessToken("af097328-ac1c-4a3e-9eb4-069897874910")
-                                        .withOrcidRefreshToken("32aadae0-829e-49c5-824f-ccaf4d1913e4")
                                         .withOrcidScope("/first-scope")
                                         .withOrcidScope("/second-scope")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "af097328-ac1c-4a3e-9eb4-069897874910").build();
+
         context.restoreAuthSystemState();
 
         String ePersonId = ePerson.getID().toString();
@@ -1475,8 +1488,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1484,8 +1495,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(ePerson.getEmail(), password))
@@ -1497,10 +1515,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
     }
 
     @Test
@@ -1513,8 +1530,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1522,8 +1537,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(admin.getEmail(), password))
@@ -1535,10 +1557,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
     }
 
     @Test
@@ -1551,8 +1572,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1560,6 +1579,8 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         EPerson anotherUser = EPersonBuilder.createEPerson(context)
                                             .withCanLogin(true)
                                             .withEmail("user@email.it")
@@ -1569,6 +1590,11 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
 
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(anotherUser.getEmail(), password))
@@ -1580,10 +1606,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
     }
 
     @Test
@@ -1596,8 +1621,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1605,8 +1628,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(ePerson.getEmail(), password))
@@ -1623,10 +1653,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), empty());
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), empty());
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), empty());
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), empty());
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), empty());
+        assertThat(getOrcidAccessToken(profile), nullValue());
     }
 
     @Test
@@ -1639,8 +1668,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1648,8 +1675,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(admin.getEmail(), password))
@@ -1661,10 +1695,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
     }
 
     @Test
@@ -1677,8 +1710,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1686,8 +1717,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(anotherUser.getEmail(), password))
@@ -1699,10 +1737,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
     }
 
     @Test
@@ -1715,8 +1752,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1724,8 +1759,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(ePerson.getEmail(), password))
@@ -1737,10 +1779,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
     }
 
     @Test
@@ -1753,8 +1794,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1762,8 +1801,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(admin.getEmail(), password))
@@ -1780,10 +1826,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), empty());
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), empty());
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), empty());
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), empty());
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), empty());
+        assertThat(getOrcidAccessToken(profile), nullValue());
     }
 
     @Test
@@ -1796,8 +1841,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1805,8 +1848,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(anotherUser.getEmail(), password))
@@ -1818,10 +1868,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
     }
 
     @Test
@@ -1834,8 +1883,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1843,8 +1890,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(ePerson.getEmail(), password))
@@ -1861,10 +1915,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), empty());
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), empty());
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), empty());
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), empty());
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), empty());
+        assertThat(getOrcidAccessToken(profile), nullValue());
     }
 
     @Test
@@ -1877,8 +1930,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1886,8 +1937,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(admin.getEmail(), password))
@@ -1904,10 +1962,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), empty());
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), empty());
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), empty());
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), empty());
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), empty());
+        assertThat(getOrcidAccessToken(profile), nullValue());
     }
 
     @Test
@@ -1920,8 +1977,6 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         EPerson ePerson = EPersonBuilder.createEPerson(context)
                                         .withCanLogin(true)
                                         .withOrcid("0000-1111-2222-3333")
-                                        .withOrcidAccessToken("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4")
-                                        .withOrcidRefreshToken("6b29a03d-f494-4690-889f-2c0ddf26b82d")
                                         .withOrcidScope("/read")
                                         .withOrcidScope("/write")
                                         .withEmail("test@email.it")
@@ -1929,8 +1984,15 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
                                         .withNameInMetadata("Test", "User")
                                         .build();
 
+        OrcidTokenBuilder.create(context, ePerson, "3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4").build();
+
         Item profile = createProfile(ePerson);
 
+        assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
+        assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
+
         context.restoreAuthSystemState();
 
         getClient(getAuthToken(anotherUser.getEmail(), password))
@@ -1942,10 +2004,9 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         profile = context.reloadEntity(profile);
 
         assertThat(getMetadataValues(profile, "person.identifier.orcid"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.access-token"), not(empty()));
-        assertThat(getMetadataValues(profile, "dspace.orcid.refresh-token"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.scope"), not(empty()));
         assertThat(getMetadataValues(profile, "dspace.orcid.authenticated"), not(empty()));
+        assertThat(getOrcidAccessToken(profile), is("3de2e370-8aa9-4bbe-8d7e-f5b1577bdad4"));
     }
 
     @Test
@@ -1994,6 +2055,11 @@ public class ResearcherProfileRestRepositoryIT extends AbstractControllerIntegra
         return readAttributeFromResponse(result, "$.id");
     }
 
+    private String getOrcidAccessToken(Item item) {
+        OrcidToken orcidToken = orcidTokenService.findByProfileItem(context, item);
+        return orcidToken != null ? orcidToken.getAccessToken() : null;
+    }
+
     private List<MetadataValue> getMetadataValues(Item item, String metadataField) {
         return itemService.getMetadataByMetadataString(item, metadataField);
     }

dspace/config/dspace.cfg

@@ -928,10 +928,6 @@ webui.licence_bundle.show = false
 # since that usually contains email addresses which ought to be kept
 # private and is mainly of interest to administrators:
 metadata.hide.dc.description.provenance = true
-metadata.hide.dspace.orcid.access-token = true
-metadata.hide.dspace.orcid.refresh-token = true
-metadata.hide.eperson.orcid.access-token = true
-metadata.hide.eperson.orcid.refresh-token = true
 
 ##### Settings for Submission Process #####
 

dspace/config/hibernate.cfg.xml

@@ -88,6 +88,8 @@
         <mapping class="org.dspace.xmlworkflow.storedcomponents.XmlWorkflowItem"/>
 
         <mapping class="org.dspace.statistics.export.OpenURLTracker"/>
+        
+        <mapping class="org.dspace.app.orcid.OrcidToken"/>
 
     </session-factory>
 </hibernate-configuration>

dspace/config/registries/dspace-types.xml

@@ -51,20 +51,6 @@
         <scope_note>Used to support researcher profiles</scope_note>
     </dc-type>
 
-    <dc-type>
-        <schema>dspace</schema>
-        <element>orcid</element>
-        <qualifier>access-token</qualifier>
-        <scope_note>Stores the access token retrieved from user authentication on ORCID</scope_note>
-    </dc-type>
-
-    <dc-type>
-        <schema>dspace</schema>
-        <element>orcid</element>
-        <qualifier>refresh-token</qualifier>
-        <scope_note>Stores the refresh token retrieved from user authentication on ORCID</scope_note>
-    </dc-type>
-
     <dc-type>
         <schema>dspace</schema>
         <element>orcid</element>

dspace/config/registries/eperson-types.xml

@@ -44,20 +44,6 @@
         <scope_note>Metadata field used for the ORCID id</scope_note>
     </dc-type>
 
-    <dc-type>
-        <schema>eperson</schema>
-        <element>orcid</element>
-        <qualifier>access-token</qualifier>
-        <scope_note>Metadata field used for the ORCID access token</scope_note>
-    </dc-type>
-
-    <dc-type>
-        <schema>eperson</schema>
-        <element>orcid</element>
-        <qualifier>refresh-token</qualifier>
-        <scope_note>Metadata field used for the ORCID refresh token</scope_note>
-    </dc-type>
-
     <dc-type>
         <schema>eperson</schema>
         <element>orcid</element>

dspace/config/spring/api/orcid-services.xml

@@ -10,6 +10,10 @@
     <context:annotation-config /> <!-- allows us to use spring annotations in beans -->
 
     <bean class="org.dspace.app.orcid.service.impl.OrcidSynchronizationServiceImpl"/>
+    <bean class="org.dspace.app.orcid.dao.impl.OrcidTokenDAOImpl"/>
+    
+    <bean id="org.dspace.app.orcid.service.OrcidTokenService" class="org.dspace.app.orcid.service.impl.OrcidTokenServiceImpl"/>
+    
     <bean class="org.dspace.authenticate.OrcidAuthenticationBean" id="orcidAuthentication"/>
 
     <bean class="org.dspace.app.orcid.client.OrcidConfiguration">