{"metadata":{"image":[],"title":"","description":""},"api":{"url":"","auth":"required","results":{"codes":[]},"settings":"","params":[]},"next":{"description":"","pages":[]},"title":"Authenticating using ORCID","type":"basic","slug":"orcid-api-authenticating-users","excerpt":"","body":"ORCID uses the OAuth2 protocol for authentication and authorisation.  This is a user centric authentication mechanism that allows users fine grained control over what third parties can and cannot do with their ORCID record. Actions that require user authorisation use the three-legged approach, as does authenticating users.  It works like this:\n\n- Your website directs the user to ORCID using a specially crafted request containing details of the permissions you would like the user to grant you.  E.g. read or update\n- The user authenticates to ORCID, if not already signed in\n- The user grants (or denies!) permission to your application\n- ORCID redirects the user back to your website with an *authorization code*\n- You exchange the authorisation code for an *access token* using the ORCID OAuth API\n- You include the access token in any subsequent requests you make\n\nImplementing this in code is easier than it sounds.  \n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"External documentation\"\n}\n[/block]\nMore details can be found in the [ORCID OAuth documentation](https://members.orcid.org/api/oauth2).","updates":[],"order":5,"isReference":false,"hidden":false,"sync_unique":"","link_url":"","link_external":false,"_id":"595f615f4a72f7002b249a9d","category":{"sync":{"isSync":false,"url":""},"pages":[],"title":"Developers","slug":"integrators","order":3,"from_sync":false,"reference":false,"_id":"595f615d4a72f7002b249a74","version":"595f615d4a72f7002b249a70","project":"5613d8fc6a092921004c30b9","createdAt":"2015-10-07T10:10:28.718Z","__v":0},"parentDoc":null,"project":"5613d8fc6a092921004c30b9","user":"5613d895443514170060dba9","version":{"version":"2.0","version_clean":"2.0.0","codename":"PID Platform","is_stable":true,"is_beta":false,"is_hidden":false,"is_deprecated":false,"categories":["595f615d4a72f7002b249a71","595f615d4a72f7002b249a72","595f615d4a72f7002b249a73","595f615d4a72f7002b249a74","595f615d4a72f7002b249a75","595f615d4a72f7002b249a76","595f615d4a72f7002b249a77","595f615d4a72f7002b249a78","595f615d4a72f7002b249a79"],"_id":"595f615d4a72f7002b249a70","project":"5613d8fc6a092921004c30b9","createdAt":"2017-07-07T10:24:29.881Z","releaseDate":"2017-07-07T10:24:29.881Z","__v":1},"createdAt":"2015-10-28T11:10:39.402Z","githubsync":"","__v":0}

Authenticating using ORCID


ORCID uses the OAuth2 protocol for authentication and authorisation. This is a user centric authentication mechanism that allows users fine grained control over what third parties can and cannot do with their ORCID record. Actions that require user authorisation use the three-legged approach, as does authenticating users. It works like this: - Your website directs the user to ORCID using a specially crafted request containing details of the permissions you would like the user to grant you. E.g. read or update - The user authenticates to ORCID, if not already signed in - The user grants (or denies!) permission to your application - ORCID redirects the user back to your website with an *authorization code* - You exchange the authorisation code for an *access token* using the ORCID OAuth API - You include the access token in any subsequent requests you make Implementing this in code is easier than it sounds. [block:api-header] { "type": "basic", "title": "External documentation" } [/block] More details can be found in the [ORCID OAuth documentation](https://members.orcid.org/api/oauth2).