{"_id":"595f615f4a72f7002b249a9d","category":{"_id":"595f615d4a72f7002b249a74","version":"595f615d4a72f7002b249a70","project":"5613d8fc6a092921004c30b9","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-07T10:10:28.718Z","from_sync":false,"order":3,"slug":"integrators","title":"Developers"},"parentDoc":null,"project":"5613d8fc6a092921004c30b9","user":"5613d895443514170060dba9","version":{"_id":"595f615d4a72f7002b249a70","project":"5613d8fc6a092921004c30b9","__v":1,"createdAt":"2017-07-07T10:24:29.881Z","releaseDate":"2017-07-07T10:24:29.881Z","categories":["595f615d4a72f7002b249a71","595f615d4a72f7002b249a72","595f615d4a72f7002b249a73","595f615d4a72f7002b249a74","595f615d4a72f7002b249a75","595f615d4a72f7002b249a76","595f615d4a72f7002b249a77","595f615d4a72f7002b249a78","595f615d4a72f7002b249a79"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"PID Platform","version_clean":"2.0.0","version":"2.0"},"__v":0,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2015-10-28T11:10:39.402Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":5,"body":"ORCID uses the OAuth2 protocol for authentication and authorisation.  This is a user centric authentication mechanism that allows users fine grained control over what third parties can and cannot do with their ORCID record. Actions that require user authorisation use the three-legged approach, as does authenticating users.  It works like this:\n\n- Your website directs the user to ORCID using a specially crafted request containing details of the permissions you would like the user to grant you.  E.g. read or update\n- The user authenticates to ORCID, if not already signed in\n- The user grants (or denies!) permission to your application\n- ORCID redirects the user back to your website with an *authorization code*\n- You exchange the authorisation code for an *access token* using the ORCID OAuth API\n- You include the access token in any subsequent requests you make\n\nImplementing this in code is easier than it sounds.  \n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"External documentation\"\n}\n[/block]\nMore details can be found in the [ORCID OAuth documentation](https://members.orcid.org/api/oauth2).","excerpt":"","slug":"orcid-api-authenticating-users","type":"basic","title":"Authenticating using ORCID"}

Authenticating using ORCID


ORCID uses the OAuth2 protocol for authentication and authorisation. This is a user centric authentication mechanism that allows users fine grained control over what third parties can and cannot do with their ORCID record. Actions that require user authorisation use the three-legged approach, as does authenticating users. It works like this: - Your website directs the user to ORCID using a specially crafted request containing details of the permissions you would like the user to grant you. E.g. read or update - The user authenticates to ORCID, if not already signed in - The user grants (or denies!) permission to your application - ORCID redirects the user back to your website with an *authorization code* - You exchange the authorisation code for an *access token* using the ORCID OAuth API - You include the access token in any subsequent requests you make Implementing this in code is easier than it sounds. [block:api-header] { "type": "basic", "title": "External documentation" } [/block] More details can be found in the [ORCID OAuth documentation](https://members.orcid.org/api/oauth2).