{"__v":11,"_id":"5630ad2fc3a8150d00fb793a","category":{"__v":15,"_id":"5614ef94a4ccab0d00e698b5","pages":["5614effea4ccab0d00e698b7","5614f0564c7b1c0d00fc3026","5614f07adc11550d00045672","5614f08ef8f2890d006d9f69","5614f09fbeee6f0d009df1a5","5624cadd5a86b423009462c0","5624cc235a86b423009462c6","5630ad2fc3a8150d00fb793a","5630cabfeae7ef0d00270dae","56379bacdf54e41900d3a0aa","568e6c9dd74a0d0d00905ec9","568f8ab5beb2700d00471892","568f953394c5030d00288087","568fe2ce4719c119002ce60b","569667d6b6d61f0d00acfae8"],"project":"5613d8fc6a092921004c30b9","version":"5613d8fc6a092921004c30bc","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-07T10:10:28.718Z","from_sync":false,"order":3,"slug":"integrators","title":"Integrators"},"parentDoc":null,"project":"5613d8fc6a092921004c30b9","user":"5613d895443514170060dba9","version":{"__v":10,"_id":"5613d8fc6a092921004c30bc","project":"5613d8fc6a092921004c30b9","createdAt":"2015-10-06T14:21:48.908Z","releaseDate":"2015-10-06T14:21:48.908Z","categories":["5613d8fd6a092921004c30bd","5614ef94a4ccab0d00e698b5","5614ef9abeee6f0d009df1a2","5614efb2a4ccab0d00e698b6","5624cb406ff1010d009b1611","5624ce8772ac510d00e4918b","5624e1195a86b423009462ec","568e68490844350d002ffa47","568e6b010844350d002ffa4a","568e6b65d892e80d00a5d37a"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2015-10-28T11:10:39.402Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":6,"body":"ORCID uses the OAuth2 protocol for authentication and authorisation.  This is a user centric authentication mechanism that allows users fine grained control over what third parties can and cannot do with their ORCID record. Actions that require user authorisation use the three-legged approach, as does authenticating users.  It works like this:\n\n- Your website directs the user to ORCID using a specially crafted request containing details of the permissions you would like the user to grant you.  E.g. read or update\n- The user authenticates to ORCID, if not already signed in\n- The user grants (or denies!) permission to your application\n- ORCID redirects the user back to your website with an *authorization code*\n- You exchange the authorisation code for an *access token* using the ORCID OAuth API\n- You include the access token in any subsequent requests you make\n\nImplementing this in code is easier than it sounds.  \n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"External documentation\"\n}\n[/block]\nMore details can be found in the [ORCID OAuth documentation](https://members.orcid.org/api/oauth2).","excerpt":"","slug":"orcid-api-authenticating-users","type":"basic","title":"Authenticating using ORCID"}

Authenticating using ORCID


ORCID uses the OAuth2 protocol for authentication and authorisation. This is a user centric authentication mechanism that allows users fine grained control over what third parties can and cannot do with their ORCID record. Actions that require user authorisation use the three-legged approach, as does authenticating users. It works like this: - Your website directs the user to ORCID using a specially crafted request containing details of the permissions you would like the user to grant you. E.g. read or update - The user authenticates to ORCID, if not already signed in - The user grants (or denies!) permission to your application - ORCID redirects the user back to your website with an *authorization code* - You exchange the authorisation code for an *access token* using the ORCID OAuth API - You include the access token in any subsequent requests you make Implementing this in code is easier than it sounds. [block:api-header] { "type": "basic", "title": "External documentation" } [/block] More details can be found in the [ORCID OAuth documentation](https://members.orcid.org/api/oauth2).