NAME

Plack::Auth::SSO::ORCID - implementation of Plack::Auth::SSO for ORCID

SYNOPSIS

#in your app.psgi

builder {

    #Register THIS URI in ORCID as a new redirect_uri
    mount "/auth/orcid" => Plack::Auth::SSO::ORCID->new(
        client_id => "APP-1",
        client_secret => "mypassword",
        sandbox => 1,
        uri_base => "http://localhost:5000",
        authorization_path => "/auth/orcid/callback",
        error_path => "/auth/error"
    )->to_app;

    #DO NOT register this uri as new redirect_uri in ORCID
    mount "/auth/orcid/callback" => sub {

        my $env = shift;
        my $session = Plack::Session->new($env);
        my $auth_sso = $session->get("auth_sso");

        #not authenticated yet
        unless( $auth_sso ){

            return [ 403, ["Content-Type" => "text/html"], ["forbidden"] ];

        }

        #process auth_sso (white list, roles ..)

        #auth_sso is a hash reference:
        #{
        #    package => "Plack::Auth::SSO::ORCID",
        #    package_id => "Plack::Auth::SSO::ORCID",
        #    response => {
        #        content_type => "application/json",
        #        content => ""{\"orcid\":\"0000-0002-5268-9669\",\"token_type\":\"bearer\",\"name\":\"Nicolas Franck\",\"refresh_token\":\"222222222222\",\"access_token\":\"111111111111\",\"scope\":\"/authenticate\",\"expires_in\":631138518}
        #    },
        #    uid => "0000-0002-5268-9669",
        #    info => {
        #        name => "Nicolas Franck"
        #    },
        #    extra => {}
        #}

        #you can reuse the "orcid" and "access_token" to get the user profile

        [ 200, ["Content-Type" => "text/html"], ["logged in!"] ];

    };

    mount "/auth/error" => sub {

        my $env = shift;
        my $session = Plack::Session->new($env);
        my $auth_sso_error = $session->get("auth_sso_error");

        unless ( $auth_sso_error ) {

            return [ 302, [ Location => $self->uri_for( "/" ) ], [] ];

        }

        [ 200, [ "Content-Type" => "text/plain" ], [
            "Something went wrong. User could not be authenticated against CAS\n",
            "Please report this error:\n",
            $auth_sso_error->{content}
        ]];

    };

};

DESCRIPTION

This is an implementation of Plack::Auth::SSO to authenticate against a ORCID (OAuth) server.

It inherits all configuration options from its parent.

Remember that this module only performs these steps:

* redirect to ORCID authorize url

* exchange authorization code for access token

Those steps provide the following information:

* uid: derived from "orcid"

* info.name: derived from "name"

* extra: everything else is that was returned in the hash response from ORCID

extra.access_token contains a code that conforms to the scope requested (see below).

If you want to request additional information from ORCID

CONFIG

Register the uri of this application in ORCID as a new redirect_uri.

DO NOT register the authorization_path in ORCID as the redirect_uri!

client_id

client_id for your application (see developer credentials from ORCID)

client_secret

client_secret for your application (see developer credentials from ORCID)

sandbox

0|1. Defaults to 0. When set to 1, this api makes use of http://sandbox.orcid.org instead of http://orcid.org.

public

0|1. Defaults to 1. 0 means you're using the member API.

scope

Requested scope. When not set, the parameter "public" will decide the value:

* public 1 : scope is "/authenticate"

* public 0 : scope is "/read-limited"

Please consult the ORCID to make sure that the parameters "public" and "scope" do not clash. (e.g. public is 1 and scope is "/read-limited")

ERRORS

Known ORCID errors are stored in the session key auth_sso_error ( Plack::Auth::SSO ).

"error" becomes "type"

"error_description" becomes "content"

Example:

{
    package => "Plack::Auth::SSO::ORCID",
    package_id => "Plack::Auth::SSO::ORCID",
    type => "invalid_grant",
    content => "Reused authorization code: abcdefg"

}

https://members.orcid.org/api/resources/error-codes

when it receives an non json response from ORCID, the type is "unknown", and content is set to the full return value.

AUTHOR

Nicolas Franck, <nicolas.franck at ugent.be>

SEE ALSO

Plack::Auth::SSO