Hello,
I'm a bit of a newcomer ORCiD and OAuth, so I apologize in advance for any glaring mistakes or misunderstandings below.
I recently enabled ORCiD OAuth2 as an alternate way for users to login to my web site. I'm using the standard three-legged approach, sending my users to
https://orcid.org/oauth/authorize and using the code passed to my redirect_uri to gather a token. This approach has been working flawlessly and I have no concerns.
In addition to a web interface to my project, I also have an extensive set of REST APIs that allow users to programmatically interact with their data. I was hoping to allow my users to authorize via ORCiD OAuth the same way that the web site allows, but I've hit a roadblock. The problem I've run into is that many of my users don't use standard web interfaces to consume my REST APIs. For example, we have several users that have developed standalone apps written in Java and Python. We have users that are consuming our API from embedded devices. We have users that have written their own iOS and Android apps. Currently these users authenticate to our API with a basic authentication headers and base64 encoded credentials.
I guess my real question is whether the ORCiD OAuth system supports any scenario where the end-user can supply their credentials to get a token.
Some of my users simply cannot redirect to ORCiD to validate the request, especially those cases where embedded devices are used.
After researching a bit, it looks like the grant-type Resource Owner Password Credentials Grant would be the ideal solution, but it looks like this grant is generally frowned upon.
Github has a workaround where user-supplied-credentials can be sent to their API (
https://api.github.com/authorizations) to recover a token, but their solution seems to be a one-off.
If anyone has any suggested workarounds I would greatly appreciate them.
Regards,
Jason