I've spent a while working on a user-management strategy. Here's what I've come up with.
CGWP will not in any way manage or store passwords for accounts. We will retain only publically-accessible information and rely on ORCID to provide authentication. Users will require an ORCID account to become a contributor.
CGWP is a registered app at ORCID, and is allowed to use the API. Using ORCID examples I have a system that works like this:
- users click a log-in link, which shuffles them off to ORCID to sign in.
- Once signed in, ORCID returns them to a CGWP page that checks that they are a CGWP user and gets a responsibility parameter for their account. This is then used to allow access to, for e.g. the editor.
I am currently working on the last issue wherein ORCID's logout mechanism isn't working for me. I have a test here. Next is to finish off the editor.