How to create automated authentication mechanism for OrcID on bash console.

[Alper Alimoglu]

I want to do authentication process from using console. Is it possible? 

I have followed this guide (https://members.orcid.org/api/oauth/3legged-oauth). First issue I was not able to obtain code=**** through console, is there any script that I can use.

Imagine: user provide me their client_id and redirect_uri:

Example:

client_id='APP-90R3NMFJNN5M4J84'
redirect_uri='http://ebloc.org';

Having following authentication URL:

https://orcid.org/oauth/authorize?client_id=APP-90R3NMFJNN5M4J84&response_type=code&scope=/authenticate&redirect_uri=http://ebloc.org

Since I am on console, manually I cannot paste the url into browser and obtain the token.

I have tried following python script:

import urllib.request
with urllib.request.urlopen("https://orcid.org/oauth/authorize?client_id=APP-90R3NMFJNN5M4J84&response_type=code&scope=/authenticate&redirect_uri=http://ebloc.org") as url:
    s = url.read()
print(s)

But since I didn't logged in into my own orcID account it didn't return me the /code=*** section. So my issue become, first I need to login my self into my orcid account under console. I am not sure how could I do this.

Thanks for your valuable help.

[Alper Alimoglu]

Please note that I do not want to use any GUI for this approach.

[Demeranville, Tom]

I'm a bit confused.  What are you trying to achieve?

The ORCID ID record owner MUST be involved with the login attempt.  That's how they grant permission to access their record.  It cannot be done without them. 

If you visit https://orcid.org/oauth/authorize?client_id=APP-90R3NMFJNN5M4J84&response_type=code&scope=/authenticate&redirect_uri=http://ebloc.org in a browser you will see that it returns a login form.  Usernames and passwords can only be submitted using this form and not using automated scripts.

There are two-step OAuth flows for reading public records that can be done without an authorisation step.

Tom Demeranville

Technology Advocate

ORCID Inc

https://orcid.org/0000-0003-0902-4386

On Wed, May 16, 2018 at 9:29 AM, Alper Alimoglu <alper.a...@gmail.com> wrote:

Please note that I do not want to use any GUI for this approach.

--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-users+unsubscribe@googlegroups.com.
To post to this group, send email to orcid-api-users@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.

[Alper Alimoglu]

I just want to obtain ?code=svrdQ7 section from console, not using GUI, basically.

[Demeranville, Tom]

It's not possible.  Codes are only generated when a user logs in, and the user cannot log in via a console.  

What are you planning to use the code for?  It would help if you explained your use case.

Tom.

Tom Demeranville

Technology Advocate

ORCID Inc

https://orcid.org/0000-0003-0902-4386

On Wed, May 16, 2018 at 11:19 AM, Alper Alimoglu <alper.a...@gmail.com> wrote:

I just want to obtain ?code=svrdQ7 section from console, not using GUI, basically.

--

[Andrew Gilmartin]

If you are only reading records then this can done using the public API, eg

curl -H 'Accept: application/json'
'https://pub.orcid.org/v2.0/0000-0001-6901-4767'

-- Andrew
--
Andrew Gilmartin
agilm...@crossref.org
401-441-2062

On Wed, May 16, 2018 at 6:22 AM, Demeranville, Tom
<t.demer...@orcid.org> wrote:
> It's not possible. Codes are only generated when a user logs in, and the
> user cannot log in via a console.
>
> What are you planning to use the code for? It would help if you explained
> your use case.
>
> Tom.
>
> Tom Demeranville
> Technology Advocate
> ORCID Inc
> https://orcid.org/0000-0003-0902-4386
>
> On Wed, May 16, 2018 at 11:19 AM, Alper Alimoglu <alper.a...@gmail.com>
> wrote:
>>
>> I just want to obtain ?code=svrdQ7 section from console, not using GUI,
>> basically.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "ORCID API Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to orcid-api-use...@googlegroups.com.
>> To post to this group, send email to orcid-a...@googlegroups.com.

>> Visit this group at https://groups.google.com/group/orcid-api-users.
>> For more options, visit https://groups.google.com/d/optout.
>
>

> --
> You received this message because you are subscribed to the Google Groups
> "ORCID API Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to orcid-api-use...@googlegroups.com.
> To post to this group, send email to orcid-a...@googlegroups.com.

[Alper Alimoglu]

@Andre Gilmartin: I am having following error:

$ curl -H 'Accept: application/json https://pub.orcid.org/v2.0/0000-0001-6901-4767'
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information

[Andrew Gilmartin]

Looks like my quotes got messed up. Try,

curl -H 'Accept: application/json'
'https://pub.orcid.org/v2.0/0000-0001-6901-4767'

-- Andrew
--
Andrew Gilmartin
agilm...@crossref.org
401-441-2062

[Alper Alimoglu]

@Tom Demeranville 

I just want to verify that honest have shared his/her orcid.

Each user registers into an application I implemented, by providing their ORCID. But issue here is that, they may register with someone else's ORCID.

I just want to check somehow, did the user register with their own ORCID.

I observe that when the code=/** used more than one time it says: "Reused authorization code: ***"; so I guess I only have chance to use it.

I thought: maybe user can share their code=/*** as encrypted and my application can decrypt and verify user's orcid.

[Alper Alimoglu]

Sorry for the typo: I just want to verify that **user honestly** have shared his/her orcid. @Tom Demeranville 

[Monica Duke]

The ‘authorization server’ in OAuth needs to interact with the user  - which is commonly done through a GUI…….these resources sound like they are about a similar scenario to what you describe – sharing in case they help – note mainly about Google as the authorization server, so not all methods are necessarily supported by ORCID authentication and authorization server.

 

Getting ORCID IDs that are authenticated is good practice – as you say it gives more confidence in the correctness of the ID (as indeed is recommended by ORCID) – what you are asking is for the ORCID authentication server to interact with the user by command line OR (if it is acceptable for you) that the user run a command that you give them to paste in the browser and copy the token to you, then the links may have some suggestions, but it sounds messy from a user interaction point of view (as one of the issues).

 

https://stackoverflow.com/questions/30008357/oauth2-client-server-authentication-for-a-command-line-utility

 

https://stackoverflow.com/questions/13317987/authorizing-command-line-tool-to-consume-google-apis-through-oauth2-0-or-anythi

 

http://www.benmccann.com/oauth-in-a-command-line-script/

https://martinfowler.com/articles/command-line-google.html

 

(Note I’ve not tried these myself, just had a look around for my own curiosity).

 

Monica

 

--

You received this message because you are subscribed to the Google Groups "ORCID API Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.

Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

[Alper Alimoglu]

Thanks I will have a look. I guess my best option is to use GUI.

There is a great demo (https://github.com/ORCID/orcid-php-demo-app). I was not able to make it work :(

Please see: https://github.com/ORCID/orcid-php-demo-app/issues/13 

[Demeranville, Tom]

"Each user registers into an application I implemented, by providing their ORCID. But issue here is that, they may register with someone else's ORCID.

I just want to check somehow, did the user register with their own ORCID."

People should never be asked to type in an ORCID.  You should obtain it via OAuth (and a browser, sorry!)

One approach to this is for you to:
- Create a small webapp separate from the console app.  (this can be a single page of pure javascript/html)
- The web app does the OAuth part, and allows the user to cut and paste the openid id_token returned from ORCID
- the user pastes the openid id_token into your console app.
- the console app validates the open id token. (by checking the JWT signature) and extracts the authenticated ORCID ID.

Basically add the 'openid' scope to your authentication request to get the id token.  See here for the open id docs: https://github.com/ORCID/ORCID-Source/blob/master/orcid-web/ORCID_AUTH_WITH_OPENID_CONNECT.md

Example openid javascript: https://github.com/ORCID/orcid-spring-oauth-examples/tree/master/js-orcid-jwt

Tom.

Tom Demeranville

Technology Advocate

ORCID Inc

https://orcid.org/0000-0003-0902-4386

--

You received this message because you are subscribed to the Google Groups "ORCID API Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-users+unsubscribe@googlegroups.com.
To post to this group, send email to orcid-api-users@googlegroups.com.