Talk:Auth systems/OAuth/Design

Using OAuth to verify the identity of a Wiki user
One of the most important reasons that I have users log into their wiki account when they use WP:Snuggle is so that I can verify their identity (and good standing). I'm hoping that, when MediaWiki switches to an OAuth scheme, my users would not need to maintain a separate username and password in Snuggle in order to preserve an.


 * Unfortunately, OAuth is not an Authentication protocol. It is only meant to be used for Authorizing Snuggle to act on the user's behalf. If you need authentication, you'll want to look into OpenID. This blog post gives a good explanation of why this is the case. CSteipp (talk) 17:35, 5 June 2013 (UTC)

So here's the question: What would my use case look like for a user who had previously provided permission to a wiki-tool, but currently has not verified their identity with this wiki-tool?

Workflows for obtaining permission and verifying identity
This is how I understand the workflow when a user has not yet provided permission:
 * 1)  asks   for
 * 2)  provides   to
 * 3)  forwards the   to the
 * 4)  logs into server and verifies permissions
 * 5)  forwards the   back to
 * 6)  asks   for an   (using  )
 * 7)  provides
 * 8)  asks   whoami (api.php?action=query&meta=userinfo)

At this point,  has verified Resource Owner's identity and can act on his/her behalf.

This is how I assume the workflow will look like for a user who had previously provided permission, but not verified his/her identity (differences are highlighted ):
 * 1)  asks   for
 * 2)  provides   to
 * 3)  forwards the   to the
 * 4)  logs in, but has already provided permission
 * 5)  immediately forwards the   back to
 * 6)  asks   for an   (using  )
 * 7)  provides the exact same   it previously had
 * 8)  asks   whoami (api.php?action=query&meta=userinfo)

At this point,  has verified  's identity and can act on his/her behalf. would have no need to store the  at all. Does this look right? --EpochFail (talk) 14:50, 5 June 2013 (UTC)