Authorization without Redirect
707 views
Skip to first unread message
Jason Ash
Aug 2, 2017, 9:58:27 AM8/2/17
to ORCID API Users
Hello,
I'm a bit of a newcomer ORCiD and OAuth, so I apologize in advance for any glaring mistakes or misunderstandings below.
I recently enabled ORCiD OAuth2 as an alternate way for users to login to my web site. I'm using the standard three-legged approach, sending my users to https://orcid.org/oauth/authorize and using the code passed to my redirect_uri to gather a token. This approach has been working flawlessly and I have no concerns.
In addition to a web interface to my project, I also have an extensive set of REST APIs that allow users to programmatically interact with their data. I was hoping to allow my users to authorize via ORCiD OAuth the same way that the web site allows, but I've hit a roadblock. The problem I've run into is that many of my users don't use standard web interfaces to consume my REST APIs. For example, we have several users that have developed standalone apps written in Java and Python. We have users that are consuming our API from embedded devices. We have users that have written their own iOS and Android apps. Currently these users authenticate to our API with a basic authentication headers and base64 encoded credentials.
I guess my real question is whether the ORCiD OAuth system supports any scenario where the end-user can supply their credentials to get a token.
Some of my users simply cannot redirect to ORCiD to validate the request, especially those cases where embedded devices are used.
After researching a bit, it looks like the grant-type Resource Owner Password Credentials Grant would be the ideal solution, but it looks like this grant is generally frowned upon.
Github has a workaround where user-supplied-credentials can be sent to their API (https://api.github.com/authorizations) to recover a token, but their solution seems to be a one-off.
If anyone has any suggested workarounds I would greatly appreciate them.
Regards,
Jason
I'm a bit of a newcomer ORCiD and OAuth, so I apologize in advance for any glaring mistakes or misunderstandings below.
I recently enabled ORCiD OAuth2 as an alternate way for users to login to my web site. I'm using the standard three-legged approach, sending my users to https://orcid.org/oauth/authorize and using the code passed to my redirect_uri to gather a token. This approach has been working flawlessly and I have no concerns.
In addition to a web interface to my project, I also have an extensive set of REST APIs that allow users to programmatically interact with their data. I was hoping to allow my users to authorize via ORCiD OAuth the same way that the web site allows, but I've hit a roadblock. The problem I've run into is that many of my users don't use standard web interfaces to consume my REST APIs. For example, we have several users that have developed standalone apps written in Java and Python. We have users that are consuming our API from embedded devices. We have users that have written their own iOS and Android apps. Currently these users authenticate to our API with a basic authentication headers and base64 encoded credentials.
I guess my real question is whether the ORCiD OAuth system supports any scenario where the end-user can supply their credentials to get a token.
Some of my users simply cannot redirect to ORCiD to validate the request, especially those cases where embedded devices are used.
After researching a bit, it looks like the grant-type Resource Owner Password Credentials Grant would be the ideal solution, but it looks like this grant is generally frowned upon.
Github has a workaround where user-supplied-credentials can be sent to their API (https://api.github.com/authorizations) to recover a token, but their solution seems to be a one-off.
If anyone has any suggested workarounds I would greatly appreciate them.
Regards,
Jason
Liz Krznarich
Aug 2, 2017, 2:15:39 PM8/2/17
to ORCID API Users
Hi Jason,
We don't support a case where end users supply credentials to get a token to access their own information (among other reasons, it's generally not use case we've run into much before). We do, however, offer a client credentials grant-type for /read-public scope only that allows an API client (public or member) to generate a token valid for reading or searching public information on any ORCID record.
Here's a tutorial that explains how to generate and use a /read-public token:
This type of token doesn't allow reading non-public info or adding/updating information on a record - a token generated using an authorization code grant-type is required for those actions.
Hope this helps! Let us know if you have more questions.
Cheers,
Jason Ash
Aug 2, 2017, 2:18:29 PM8/2/17
to ORCID API Users
Thanks, Liz. Unfortunately, the client credentials grant-type doesn't help me in this case as I'm trying to use ORCiD OAuth as a login replacement.
Jason
Jason
Reply all
Reply to author
Forward
0 new messages