Talk:Auth systems/OAuth/Design

Using OAuth to verify the identity of a Wiki user
One of the most important reasons that I have users log into their wiki account when they use WP:Snuggle is so that I can verify their identity (and good standing). I'm hoping that, when MediaWiki switches to an OAuth scheme, my users would not need to maintain a separate username and password in Snuggle in order to preserve an.

So here's the question: What would my use case look like for a user who had previously provided permission to a wiki-tool, but currently has not verified their identity with this wiki-tool?

Workflows for obtaining permission and verifying identity
This is how I understand the workflow when a user has not yet provided permission:
 * 1)  asks   for
 * 2)  provides   to
 * 3)  forwards the   to the
 * 4)  logs into server and verifies permissions
 * 5)  forwards the   back to
 * 6)  asks   for an   (using  )
 * 7)  provides
 * 8)  asks   whoami (api.php?action=query&meta=userinfo)

At this point,  has verified Resource Owner's identity and can act on his/her behalf.

This is how I assume the workflow will look like for a user who had previously provided permission, but not verified his/her identity (differences are highlighted ):
 * 1)  asks   for
 * 2)  provides   to
 * 3)  forwards the   to the
 * 4)  logs in, but has already provided permission
 * 5)  immediately forwards the   back to
 * 6)  asks   for an   (using  )
 * 7)  provides the exact same   it previously had
 * 8)  asks   whoami (api.php?action=query&meta=userinfo)

At this point,  has verified  's identity and can act on his/her behalf. would have no need to store the  at all. Does this look right? --EpochFail (talk) 14:50, 5 June 2013 (UTC)