diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fd7f967..f25724b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,32 +10,31 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  test:
+  generate:
     runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - id: generate
+        uses: freckle/stack-action/generate-matrix@v5
+    outputs:
+      stack-yamls: ${{ steps.generate.outputs.stack-yamls }}
 
+  test:
+    needs: generate
     strategy:
       matrix:
-        stack-yaml:
-          - stack-nightly.yaml     # ghc-9.8
-          - stack.yaml             # ghc-9.6
-          - stack-lts-21.25.yaml   # ghc-9.4
-          - stack-lts-20.26.yaml   # ghc-9.2
-          - stack-lts-19.33.yaml   # ghc-9.0
-          - stack-lts-18.28.yaml   # ghc-8.10
-          - stack-lts-16.31.yaml   # ghc-8.8
-          - stack-lts-14.27.yaml   # ghc-8.6 + hoauth2-1.14.0
-          - stack-hoauth2-2.6.yaml # ghc-9.4 (nightly-2022-12-09)
-          - stack-hoauth2-2.3.yaml # ghc-9.0 (nightly-2022-02-25)
-          - stack-hoauth2-2.2.yaml # ghc-9.0 (nightly-2022-02-25)
-          - stack-hoauth2-2.0.yaml # ghc-8.10
+        stack-yaml: ${{ fromJSON(needs.generate.outputs.stack-yamls) }}
       fail-fast: false
 
+    runs-on: ubuntu-latest
+
     steps:
       - uses: actions/checkout@v4
       - uses: freckle/stack-action@v5
         with:
-          stack-yaml: ${{ matrix.stack-yaml }}
           stack-build-arguments: --flag yesod-auth-oauth2:example
+        env:
+          STACK_YAML: ${{ matrix.stack-yaml }}
 
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 33acda8..65d1030 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,9 +14,9 @@ jobs:
         uses: freckle/haskell-tag-action@v1
 
       - if: steps.tag.outputs.tag
-        run: stack upload --pvp-bounds lower
+        run: stack upload --pvp-bounds lower .
         env:
           HACKAGE_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
 
           # Use minimum LTS to set lowest lower bounds
-          STACK_YAML: stack-lts-14.27.yaml
+          STACK_YAML: stack-lts-16.31.yaml
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1e7c583..4c2aabd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,15 @@
-## [_Unreleased_](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.3...main)
+## [_Unreleased_](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.3.0...main)
+
+## [v0.7.3.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.2.0...v0.7.3.0)
+
+- Add ORCID provider
+- Drop support for LTS-12 / GHC-8.6
+- Replace `cryptonite` with `crypton`
+
+## [v0.7.2.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.3...v0.7.2.0)
+
+- Add `oauth2GitHubWidget` and `oauth2GitHubScopedWidget`
+  [@jaanisfehling](https://github.com/freckle/yesod-auth-oauth2/pull/181)
 
 ## [v0.7.1.3](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.2...v0.7.1.3)
 
diff --git a/example/Main.hs b/example/Main.hs
index 9c8d836..1cbd42c 100644
--- a/example/Main.hs
+++ b/example/Main.hs
@@ -34,6 +34,7 @@ import Yesod.Auth.OAuth2.GitHub
 import Yesod.Auth.OAuth2.GitLab
 import Yesod.Auth.OAuth2.Google
 import Yesod.Auth.OAuth2.Nylas
+import Yesod.Auth.OAuth2.ORCID
 import Yesod.Auth.OAuth2.Salesforce
 import Yesod.Auth.OAuth2.Slack
 import Yesod.Auth.OAuth2.Spotify
@@ -149,6 +150,7 @@ mkFoundation = do
       , loadPlugin (oauth2Spotify []) "SPOTIFY"
       , loadPlugin oauth2Twitch "TWITCH"
       , loadPlugin oauth2WordPressDotCom "WORDPRESS_DOT_COM"
+      , loadPlugin oauth2ORCID "ORCID"
       , loadPlugin oauth2Upcase "UPCASE"
       ]
 
diff --git a/package.yaml b/package.yaml
index bfde2bd..4bd676c 100644
--- a/package.yaml
+++ b/package.yaml
@@ -1,6 +1,6 @@
 ---
 name: yesod-auth-oauth2
-version: 0.7.1.3
+version: 0.7.3.0
 synopsis: OAuth 2.0 authentication plugins
 description: Library to authenticate with OAuth 2.0 for Yesod web applications.
 category: Web
@@ -27,7 +27,7 @@ library:
   dependencies:
     - aeson >=0.6
     - bytestring >=0.9.1.4
-    - cryptonite >=0.25
+    - crypton
     - errors
     - hoauth2 >=1.11.0
     - http-client >=0.4.0
diff --git a/src/Yesod/Auth/OAuth2/Google.hs b/src/Yesod/Auth/OAuth2/Google.hs
index 77e7726..0fc3475 100644
--- a/src/Yesod/Auth/OAuth2/Google.hs
+++ b/src/Yesod/Auth/OAuth2/Google.hs
@@ -39,9 +39,8 @@ newtype User = User Text
 instance FromJSON User where
   parseJSON =
     withObject "User" $ \o ->
-      User
-        -- Required for data backwards-compatibility
-        <$> (("google-uid:" <>) <$> o .: "sub")
+      -- Required for data backwards-compatibility
+      User . ("google-uid:" <>) <$> o .: "sub"
 
 pluginName :: Text
 pluginName = "google"
diff --git a/src/Yesod/Auth/OAuth2/ORCID.hs b/src/Yesod/Auth/OAuth2/ORCID.hs
new file mode 100644
index 0000000..a60f394
--- /dev/null
+++ b/src/Yesod/Auth/OAuth2/ORCID.hs
@@ -0,0 +1,50 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+module Yesod.Auth.OAuth2.ORCID
+  ( oauth2ORCID
+  ) where
+
+import qualified Data.Text as T
+import Yesod.Auth.OAuth2.Prelude
+
+pluginName :: Text
+pluginName = "orcid"
+
+newtype User = User Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "sub"
+
+oauth2ORCID
+  :: YesodAuth m
+  => Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client Secret
+  -> AuthPlugin m
+oauth2ORCID clientId clientSecret =
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://orcid.org/oauth/userinfo"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = Just clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://orcid.org/oauth/authorize"
+            `withQuery` [scopeParam " " ["openid"]]
+      , oauth2TokenEndpoint = "https://orcid.org/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }
diff --git a/stack-hoauth2-2.0.yaml b/stack-hoauth2-2.0.yaml
index 1aa8208..272210b 100644
--- a/stack-hoauth2-2.0.yaml
+++ b/stack-hoauth2-2.0.yaml
@@ -1,3 +1,4 @@
 resolver: lts-18.28
 extra-deps:
+  - crypton-1.0.0
   - hoauth2-2.0.0
diff --git a/stack-hoauth2-2.0.yaml.lock b/stack-hoauth2-2.0.yaml.lock
index 032866a..006dcbf 100644
--- a/stack-hoauth2-2.0.yaml.lock
+++ b/stack-hoauth2-2.0.yaml.lock
@@ -4,6 +4,13 @@
 #   https://docs.haskellstack.org/en/stable/lock_files
 
 packages:
+- completed:
+    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
+    pantry-tree:
+      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
+      size: 23275
+  original:
+    hackage: crypton-1.0.0
 - completed:
     hackage: hoauth2-2.0.0@sha256:4686d776272d4c57d3c8dbeb9e58b04afe4d2b410382011bd78a3d2bfb08a3fe,5662
     pantry-tree:
diff --git a/stack-hoauth2-2.2.yaml b/stack-hoauth2-2.2.yaml
index c1b27a7..9ea808d 100644
--- a/stack-hoauth2-2.2.yaml
+++ b/stack-hoauth2-2.2.yaml
@@ -1,3 +1,4 @@
 resolver: nightly-2022-02-25
 extra-deps:
+  - crypton-1.0.0
   - hoauth2-2.2.0
diff --git a/stack-hoauth2-2.2.yaml.lock b/stack-hoauth2-2.2.yaml.lock
index de9f9c0..d2632cf 100644
--- a/stack-hoauth2-2.2.yaml.lock
+++ b/stack-hoauth2-2.2.yaml.lock
@@ -4,6 +4,13 @@
 #   https://docs.haskellstack.org/en/stable/lock_files
 
 packages:
+- completed:
+    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
+    pantry-tree:
+      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
+      size: 23275
+  original:
+    hackage: crypton-1.0.0
 - completed:
     hackage: hoauth2-2.2.0@sha256:83a96156717d9e2c93394b35bef4151f82b90dc88b83d0e35c0bf1158bd41c6c,2801
     pantry-tree:
diff --git a/stack-hoauth2-2.3.yaml b/stack-hoauth2-2.3.yaml
index 8274e74..1013787 100644
--- a/stack-hoauth2-2.3.yaml
+++ b/stack-hoauth2-2.3.yaml
@@ -1,3 +1,4 @@
 resolver: nightly-2022-02-25
 extra-deps:
+  - crypton-1.0.0
   - hoauth2-2.3.0
diff --git a/stack-hoauth2-2.3.yaml.lock b/stack-hoauth2-2.3.yaml.lock
index 60671cd..8301e9b 100644
--- a/stack-hoauth2-2.3.yaml.lock
+++ b/stack-hoauth2-2.3.yaml.lock
@@ -4,6 +4,13 @@
 #   https://docs.haskellstack.org/en/stable/lock_files
 
 packages:
+- completed:
+    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
+    pantry-tree:
+      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
+      size: 23275
+  original:
+    hackage: crypton-1.0.0
 - completed:
     hackage: hoauth2-2.3.0@sha256:213744356007a4686ff3bb72105843d478bc0ba6229659429cbe241a99f55095,2816
     pantry-tree:
diff --git a/stack-hoauth2-2.6.yaml b/stack-hoauth2-2.6.yaml
index 181a354..4a6664b 100644
--- a/stack-hoauth2-2.6.yaml
+++ b/stack-hoauth2-2.6.yaml
@@ -1,11 +1,7 @@
 resolver: nightly-2022-12-09
 extra-deps:
+  - crypton-1.0.0
   - hoauth2-2.6.0
 allow-newer: true
 allow-newer-deps:
-  - hoauth2 # specifying the package itself is not necessary in the newest
-            # stack, and in fact doens't make conceptual sense. But it is
-            # required on the version of stack on GHA or you get a warning about
-            # ignoreing the bounds (as desired) but it still fails on them...
-  - memory
-  - text
+  - hoauth2 # allow newer memory and text
diff --git a/stack-hoauth2-2.6.yaml.lock b/stack-hoauth2-2.6.yaml.lock
index 3dbaac6..6dd4c65 100644
--- a/stack-hoauth2-2.6.yaml.lock
+++ b/stack-hoauth2-2.6.yaml.lock
@@ -4,6 +4,13 @@
 #   https://docs.haskellstack.org/en/stable/lock_files
 
 packages:
+- completed:
+    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
+    pantry-tree:
+      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
+      size: 23275
+  original:
+    hackage: crypton-1.0.0
 - completed:
     hackage: hoauth2-2.6.0@sha256:168321df73bf75dc7cdda8e72725e9f3f624a9776b1fe59ae46c29c45029dc5d,2262
     pantry-tree:
diff --git a/stack-lts-14.27.yaml b/stack-lts-14.27.yaml
deleted file mode 100644
index 2be442d..0000000
--- a/stack-lts-14.27.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-resolver: lts-14.27
-extra-deps:
-  - hoauth2-1.14.0
diff --git a/stack-lts-14.27.yaml.lock b/stack-lts-14.27.yaml.lock
deleted file mode 100644
index 5ce20b8..0000000
--- a/stack-lts-14.27.yaml.lock
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: hoauth2-1.14.0@sha256:fcb4284fc78950c91d5b548317c51bd99a5ced84f4bb9e6153624b5783e4215f,5628
-    pantry-tree:
-      sha256: f25e2c2c101312196159dad5a3e2a4c8f549ed2d036d9566b66786d758db7dba
-      size: 2046
-  original:
-    hackage: hoauth2-1.14.0
-snapshots:
-- completed:
-    sha256: 7ea31a280c56bf36ff591a7397cc384d0dff622e7f9e4225b47d8980f019a0f0
-    size: 524996
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/14/27.yaml
-  original: lts-14.27
diff --git a/stack-lts-16.31.yaml b/stack-lts-16.31.yaml
index 53095f7..22688b1 100644
--- a/stack-lts-16.31.yaml
+++ b/stack-lts-16.31.yaml
@@ -1 +1,3 @@
 resolver: lts-16.31
+extra-deps:
+  - crypton-1.0.0
diff --git a/stack-lts-16.31.yaml.lock b/stack-lts-16.31.yaml.lock
index a3bf80f..783dcb5 100644
--- a/stack-lts-16.31.yaml.lock
+++ b/stack-lts-16.31.yaml.lock
@@ -3,7 +3,14 @@
 # For more information, please see the documentation at:
 #   https://docs.haskellstack.org/en/stable/lock_files
 
-packages: []
+packages:
+- completed:
+    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
+    pantry-tree:
+      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
+      size: 23275
+  original:
+    hackage: crypton-1.0.0
 snapshots:
 - completed:
     sha256: 637fb77049b25560622a224845b7acfe81a09fdb6a96a3c75997a10b651667f6
diff --git a/stack-lts-18.28.yaml b/stack-lts-18.28.yaml
index 773d5c9..c070685 100644
--- a/stack-lts-18.28.yaml
+++ b/stack-lts-18.28.yaml
@@ -1 +1,3 @@
 resolver: lts-18.28
+extra-deps:
+  - crypton-1.0.0
diff --git a/stack-lts-18.28.yaml.lock b/stack-lts-18.28.yaml.lock
index da10c3e..a23fd96 100644
--- a/stack-lts-18.28.yaml.lock
+++ b/stack-lts-18.28.yaml.lock
@@ -3,7 +3,14 @@
 # For more information, please see the documentation at:
 #   https://docs.haskellstack.org/en/stable/lock_files
 
-packages: []
+packages:
+- completed:
+    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
+    pantry-tree:
+      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
+      size: 23275
+  original:
+    hackage: crypton-1.0.0
 snapshots:
 - completed:
     sha256: 428ec8d5ce932190d3cbe266b9eb3c175cd81e984babf876b64019e2cbe4ea68
diff --git a/stack-lts-19.33.yaml b/stack-lts-19.33.yaml
index f9994e6..c552550 100644
--- a/stack-lts-19.33.yaml
+++ b/stack-lts-19.33.yaml
@@ -1 +1,3 @@
 resolver: lts-19.33
+extra-deps:
+  - crypton-1.0.0
diff --git a/stack-lts-19.33.yaml.lock b/stack-lts-19.33.yaml.lock
index d79c369..c81ce8a 100644
--- a/stack-lts-19.33.yaml.lock
+++ b/stack-lts-19.33.yaml.lock
@@ -3,7 +3,14 @@
 # For more information, please see the documentation at:
 #   https://docs.haskellstack.org/en/stable/lock_files
 
-packages: []
+packages:
+- completed:
+    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
+    pantry-tree:
+      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
+      size: 23275
+  original:
+    hackage: crypton-1.0.0
 snapshots:
 - completed:
     sha256: 6d1532d40621957a25bad5195bfca7938e8a06d923c91bc52aa0f3c41181f2d4
diff --git a/stack-lts-20.26.yaml b/stack-lts-20.26.yaml
index fc9172f..c421558 100644
--- a/stack-lts-20.26.yaml
+++ b/stack-lts-20.26.yaml
@@ -1 +1,3 @@
 resolver: lts-20.26
+extra-deps:
+  - crypton-1.0.0
diff --git a/stack-lts-20.26.yaml.lock b/stack-lts-20.26.yaml.lock
index ea5a850..0d30195 100644
--- a/stack-lts-20.26.yaml.lock
+++ b/stack-lts-20.26.yaml.lock
@@ -3,7 +3,14 @@
 # For more information, please see the documentation at:
 #   https://docs.haskellstack.org/en/stable/lock_files
 
-packages: []
+packages:
+- completed:
+    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
+    pantry-tree:
+      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
+      size: 23275
+  original:
+    hackage: crypton-1.0.0
 snapshots:
 - completed:
     sha256: 5a59b2a405b3aba3c00188453be172b85893cab8ebc352b1ef58b0eae5d248a2
diff --git a/yesod-auth-oauth2.cabal b/yesod-auth-oauth2.cabal
index a4c187c..dafcfb7 100644
--- a/yesod-auth-oauth2.cabal
+++ b/yesod-auth-oauth2.cabal
@@ -4,10 +4,10 @@ cabal-version: 1.18
 --
 -- see: https://github.com/sol/hpack
 --
--- hash: 207152c226dff43499a366c34fa97543df920deaad084999e3942ae0dc32a30f
+-- hash: 148c53a7824b23fa36ce45e0641e643edec0da339f201937f076327d06b2054a
 
 name:           yesod-auth-oauth2
-version:        0.7.1.3
+version:        0.7.3.0
 synopsis:       OAuth 2.0 authentication plugins
 description:    Library to authenticate with OAuth 2.0 for Yesod web applications.
 category:       Web
@@ -54,6 +54,7 @@ library
       Yesod.Auth.OAuth2.GitLab
       Yesod.Auth.OAuth2.Google
       Yesod.Auth.OAuth2.Nylas
+      Yesod.Auth.OAuth2.ORCID
       Yesod.Auth.OAuth2.Prelude
       Yesod.Auth.OAuth2.Random
       Yesod.Auth.OAuth2.Salesforce
@@ -71,7 +72,7 @@ library
       aeson >=0.6
     , base >=4.9.0.0 && <5
     , bytestring >=0.9.1.4
-    , cryptonite >=0.25
+    , crypton
     , errors
     , hoauth2 >=1.11.0
     , http-client >=0.4.0