User:Dantman/OAuth/SecDiscoveFlow

[User] Visit: http://app.example.com [App] What wiki do you want to edit? [User] http://en.wikipedia.org/wiki/Main_Page // [App] GET http://en.wikipedia.org/wiki/Main_Page HTTP/1.1 // [App] GET http://en.wikipedia.org/w/api.php?action=rsd HTTP/1.1 ???

[App] GET https://$discovery[]/discovery?url={http://en.wikipedia.org/wiki/Main_Page} [Discovery] GET http://en.wikipedia.org/wiki/Main_Page [...] [Discovery] GET http://en.wikipedia.org/w/api.php?action=oauth2.key < {WP-PUBKEY}

[App<-Discovery] { "api": "http://en.wikipedia.org/w/api.php", "oauth2": { "authorization": "http://en.wikipedia.org/w/index.php?title=Special:OAuth", "token": "http://en.wikipedia.org/w/api.php?action=oauth2.token", "revoke": "http://en.wikipedia.org/w/api.php?action=oauth2.revoke", "register": "http://en.wikipedia.org/w/api.php?action=oauth2.register", "pubkey": "{WP-PUBKEY}" } }

[App] POST http://en.wikipedia.org/w/api.php?action=oauth2.register { "type": "pull", "url": "http://app.example.com/client.json", "": {   "": "",    "": "[SECRET KEY ENCRYPTED WITH WP-PUBKEY]" } }

[WP] GET http://app.example.com/client.json { [...] //  "": [ "basic", "mac" ] }

[App<-WP] {ENCRYPTED WITH SECRETKEY} { "client_id": "...", "client_secret": "...", "client_secret_type": "mac", "mac_": "..." }

[] http://en.wikipedia.org/w/index.php?title=Special:OAuth&response_type=code&client_id=...&redirect_uri=...&state=...

http://app.example.com/oauth?code=...&state=...

POST http://en.wikipedia.org/w/api.php?action=oauth2.token Authorization: MAC ... grant_type=authorization_code&code=...&redirect_uri=...

{ "access_token": "...", "token_type": "mac", "expires_in": "...", "refresh_token": "...", } ((How do we get this encrypted so that a mitm can't take the tokens?))