Get access token via 2 legged OAuth authorization

[ciakovx]

Hi Scott, I recently created a Jupyter Notebook in a Binder environment to teach rorcid. See https://ciakovx.github.io/rorcid for the walkthrough, and https://mybinder.org/v2/gh/ciakovx/ciakovx.github.io/ab4cd2280f36aad96fbcd6fd72c932c0323f1be8 for the direct link to the Binder.

orcid_auth() wouldn't work in this scenario, as I didn't want the students to have to download R and you can't open a browser window from within the Jupyter Notebook for the 3 legged authentication. ORCID provides a way to get the key via 2-legged OAuth: https://members.orcid.org/api/oauth/2legged-oauth. From my understanding, in order to do this the user has to have a client secret and key. Once they have it, I wrote the following request to get their access token (fake client ID and secret). Just something to consider for future iterations. Thanks for all your work on rorcid and with ROpenSci, as always I find your work to be immensely helpful and indispensable.

# copy/paste your client ID from https://orcid.org/developer-tools
orcid_client_id <- "APP-UXL71DIF91UFKDA"

# copy/paste your client secret from https://orcid.org/developer-tools
orcid_client_secret <- "c7e221dc-0b9c-48cf-92sq-24446b8490231e"

# send the request for the access token
orcid_request <- POST(url  = "https://orcid.org/oauth/token",
          config = add_headers(`Accept` = "application/json",
                               `Content-Type` = "application/x-www-form-urlencoded"),
          body = list(grant_type = "client_credentials",
                      scope = "/read-public",
                      client_id = orcid_client_id,
                      client_secret = orcid_client_secret),
          encode = "form")

# parse token
orcid_response <- content(orcid_request)

# set token
Sys.setenv(ORCID_TOKEN = orcid_response$access_token)

#confirm authorization
rorcid::orcid_auth(scope = "/authenticate",
                   reauth = TRUE)

Session Info

─ Session info ──────────────────────────────────────────────────────────────────────────
 setting  value                       
 version  R version 3.6.1 (2019-07-05)
 os       macOS Mojave 10.14.5        
 system   x86_64, darwin15.6.0        
 ui       RStudio                     
 language (EN)                        
 collate  en_US.UTF-8                 
 ctype    en_US.UTF-8                 
 tz       America/Chicago             
 date     2020-08-14                  

─ Packages ──────────────────────────────────────────────────────────────────────────────
 package     * version  date       lib source                          
 assertthat    0.2.1    2019-03-21 [1] CRAN (R 3.6.0)                  
 backports     1.1.8    2020-06-17 [1] CRAN (R 3.6.2)                  
 callr         3.4.3    2020-03-28 [1] CRAN (R 3.6.2)                  
 cli           2.0.2    2020-02-28 [1] CRAN (R 3.6.0)                  
 crayon        1.3.4    2017-09-16 [1] CRAN (R 3.6.0)                  
 crul          0.9.0    2019-11-06 [1] CRAN (R 3.6.0)                  
 curl          4.3      2019-12-02 [1] CRAN (R 3.6.0)                  
 desc          1.2.0    2018-05-01 [1] CRAN (R 3.6.0)                  
 devtools      2.3.1    2020-07-21 [1] CRAN (R 3.6.2)                  
 digest        0.6.25   2020-02-23 [1] CRAN (R 3.6.0)                  
 ellipsis      0.3.1    2020-05-15 [1] CRAN (R 3.6.2)                  
 evaluate      0.14     2019-05-28 [1] CRAN (R 3.6.0)                  
 fansi         0.4.1    2020-01-08 [1] CRAN (R 3.6.0)                  
 fauxpas       0.5.0    2020-04-13 [1] CRAN (R 3.6.2)                  
 fs            1.4.2    2020-06-30 [1] CRAN (R 3.6.2)                  
 glue          1.4.1    2020-05-13 [1] CRAN (R 3.6.2)                  
 htmltools     0.5.0    2020-06-16 [1] CRAN (R 3.6.2)                  
 httpcode      0.3.0    2020-04-10 [1] CRAN (R 3.6.2)                  
 httr          1.4.2    2020-07-20 [1] CRAN (R 3.6.2)                  
 jsonlite      1.7.0    2020-06-25 [1] CRAN (R 3.6.2)                  
 knitr         1.29     2020-06-23 [1] CRAN (R 3.6.2)                  
 magrittr      1.5      2014-11-22 [1] CRAN (R 3.6.0)                  
 memoise       1.1.0    2017-04-21 [1] CRAN (R 3.6.0)                  
 packrat       0.5.0    2018-11-14 [1] CRAN (R 3.6.0)                  
 pkgbuild      1.1.0    2020-07-13 [1] CRAN (R 3.6.2)                  
 pkgload       1.1.0    2020-05-29 [1] CRAN (R 3.6.2)                  
 prettyunits   1.1.1    2020-01-24 [1] CRAN (R 3.6.0)                  
 processx      3.4.3    2020-07-05 [1] CRAN (R 3.6.2)                  
 ps            1.3.3    2020-05-08 [1] CRAN (R 3.6.2)                  
 R6            2.4.1    2019-11-12 [1] CRAN (R 3.6.0)                  
 remotes       2.2.0    2020-07-21 [1] CRAN (R 3.6.2)                  
 rlang         0.4.7    2020-07-09 [1] CRAN (R 3.6.2)                  
 rmarkdown     2.3      2020-06-18 [1] CRAN (R 3.6.2)                  
 rorcid      * 0.6.4.97 2020-05-29 [1] Github (ropensci/rorcid@96308ca)
 rprojroot     1.3-2    2018-01-03 [1] CRAN (R 3.6.0)                  
 rstudioapi    0.11     2020-02-07 [1] CRAN (R 3.6.0)                  
 sessioninfo   1.1.1    2018-11-05 [1] CRAN (R 3.6.0)                  
 testthat      2.3.2    2020-03-02 [1] CRAN (R 3.6.0)                  
 usethis       1.6.1    2020-04-29 [1] CRAN (R 3.6.2)                  
 whisker       0.4      2019-08-28 [1] CRAN (R 3.6.0)                  
 withr         2.2.0    2020-04-20 [1] CRAN (R 3.6.2)                  
 xfun          0.16     2020-07-24 [1] CRAN (R 3.6.2)                  
 yaml          2.2.1    2020-02-01 [1] CRAN (R 3.6.0)    

[sckott]

Thanks for this - i'll take a look

[sckott]

I agree it's not always possible to open a browser. I think what I've written in the docs, or just thought in my head maybe, was that users can get the token via 3 legged auth and then store the key as an env var locally, but this is a good idea to allow a workflow that doesn't require an interactive step so that it works on servers and other environments that don't allow opening a auth window.

used a modified version of code above, and its used inside orcid_auth, reinstall , then see new params client_id and client_secret - also updated the description of the different auth options in the orcid_auth manual file - let me know if you have any thoughts

[sckott]

• make sure to update readme and any other places where auth info is to be consistent throughout pkg