The Rogue Scholar science blog archive has introduced authentication with passkeys and will disable local accounts on September 15. Reading Rogue Scholar content has always been free and never required user accounts or cookie permissions. This is true both for web and API usage.

User accounts

Science blogs participating in Rogue Scholar also don't require user accounts, but only a contact email, and the initial registration of the blog is via a web form. The import of new or updated blog posts into Rogue Scholar happens automatically via RSS feed or JSON API integration, and there is no ability to update blog posts archived in Rogue Scholar outside of that workflow.

Rogue Scholar offers user accounts that everyone can sign up for. They are currently only intended for blog authors, and two weeks ago their functionality was expanded. Rogue Scholar blog posts are organized around communities, and there are three community types:

  • blog: all blog posts of a given blog
  • topic: all blog posts about a given topic, often used as tag or keyword
  • subject area: all blog posts in a given OECD Field of Science and Technology

The blog community includes basic information about the blog, such as name, description and logo. This information is automatically extracted from the blog feed, but in some cases manual curation is desired, e.g. to include a description or logo that the feed does not provide. Blog authors with a Rogue Scholar account, and after they have received an invitation as community manager, can now manage this information themselves:

Going forward Rogue Scholar will also allow blog authors to provide more information, such as the blog default OECD Field of Science (currently provided in the blog registration form) and International Standard Serial Number (ISSN), currently provided via email.

Topic communities aggregate blog posts from multiple blogs around a common topic, typically referred to as a tag or category in blogs. These tags/categories have naturally evolved as folksonomy rather than a centrally defined taxonomy, and fully automatic classification of blog posts into topics is neither desired nor easily achievable. For these reasons, manual curation of topics is needed, and currently this requires user accounts. Blog authors who are community managers of their blog can submit blog posts to topic communities, or manage the communities the blog post is included.

The creation of topic communities currently requires an admin account, but if people are interested in becoming Rogue Scholar community managers, creating new topic communities, or adding blog posts to topic communities where they are not the author, please reach out to me.

Subject communities are automatically added to blog posts based on the blog subject area, and user accounts are not relevant here. Going forward, I want to enable automatic classification based on blog post content, and inclusion in more than one subject community. We can take advantage of the new collections feature introduced in InvenioRDM v13 earlier this month.

Authentication

Now that I have explained that user accounts are not required to use Rogue Scholar, but there are important use cases where they are needed, we can talk about how user accounts are managed in Rogue Scholar. Users can register for a user account with Rogue Scholar in one of two ways:

  • ORCID
  • Rogue Scholar passkeys

Authentication via ORCID is a widely used authentication workflow in the scholarly community that is free (no ORCID organizational membership required) and built into the InvenioRDM platform.

Depending on a single external authentication service is not desirable, as not all users will have an ORCID (e.g. group or admin accounts), and this would make it impossible to sign in to Rogue Scholar if the ORCID service is temporarily down. ORCID is primarily a service to provide unique identifiers to scholars, and not an identity provider (IdP) that provides single sign-on services.

One option is to provide authentication via local accounts with username/password, but that is both potentially insecure without additional measures such as multi-factor authentication (MFA) and inconvenient without a password manager. The InvenioRDM platform that Rogue Scholar uses has built-in local account management, but not built-in multi-factor authentication or other more advanced functionalities. Many InvenioRDM instances use an external authentication service that integrates with InvenioRDM.

ORCID authentication is implemented via the OpenID Connect (OIDC) authentication protocol, and OIDC can be used with many other third-party logins, including GitHub, which is built into InvenioRDM. For Rogue Scholar I wanted to implement a local OIDC provider that I can configure and control. The most popular authentication service for InvenioRDM for this use case is probably Keycloak. Keycloak is a powerful and well-tested open-source solution for identity management, but it is almost too complex for smaller instances such as Rogue Scholar. For these reasons, Rogue Scholar went with Pocket ID,

A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.

Pocket ID depends on passkeys, a secure and user-friendly authentication method that is (slowly) becoming a new authentication standard.

Pocket ID authentication for Rogue Scholar was launched three weeks ago, and the service is hosted at https://auth.rogue-scholar.org. The setup was straightforward, and Pocket ID supports some advanced features currently not needed by Rogue Scholar, e.g. restricting user groups, LDAP integration, or a REST API.

With the launch of Pocket ID authentication, registration for new local accounts has been disabled, and login via username/password will be disabled on September 15. Users with existing local accounts can link their accounts to ORCID and/or passkeys until that date.

Please use SlackemailMastodon, or Bluesky if you have any questions or comments regarding Rogue Scholar authentication.

References

  1. Fenner, M. (2025, July 30). Rogue Scholar Updates: Full-text search as default and basic blog self-management. Front Matter. https://doi.org/10.53731/jeatk-t8t07
  2. Fenner, M. (2025, July 23). Rogue Scholar relaunches today. Front Matter. https://doi.org/10.53731/8dg89-gnc10