Auth systems/OAuth/Design

OAuth Features

 * To simplify the design, and to work with many of the existing OAuth client libraries that current work with Twitter's OAuth 1.0 implementation, we will start by implementing OAuth 1.0a
 * We can move to one or more OAuth 2 flows in next year if there is demand
 * This will allow users to use HTTPS or HTTP when using OAuth, since every call must be signed. To keep things simple, we may only support HMAC to start?


 * There will be an Application Registration page, for registering applications
 * If this process is usable for power users,


 * There will be an apploval page, where a logged in user will grant permissions to an application
 * Users should be warned of privacy implications
 * Should users reenter their password?
 * Allow application to update their privileges? This is not part of the specification, but should be a simple addition.


 * There will be a page where Users can see and manage their approved applications
 * See grants
 * revoke if desired


 * The MW API accepts signed requests
 * wgUser setup for the user
 * Hook ApiCheckCanExecute to authorize?