User:CSteipp (WMF)/OAuth demo client

In order to use OAuth to make MediaWiki api calls on behalf of another user, you need to:
 * 1) Register your application, and get it approved by a wiki admin
 * 2) Get the user's permission, and get a set of authorized tokens
 * 3) When making api calls, include an Authorization: HTTP header, which identify the user and prove your possession of the authorized token

Register your Application (Consumer)

 * Visit: https://www.mediawiki.org/wiki/Special:OAuthConsumerRegistration/propose
 * The wiki admin will use the email you leave there to contact you when your application has been approved

Obtain Authorized Tokens
You will need to complete this protocol for each user, in order to obtain the unique token and secret for that individual user. In a picture, this looks like.

The $data returned above contains the authorized token and secret to use when making api calls on behalf of the user. To use the authorized token/secret to make an edit, you will use some code such as:

Identify the User
This is optional! If a user has authorized your application, MediaWiki can provide your application with a cryptographically signed statement about the authorizing user. This should be used to identify the user, instead of calling the userinfo api, for various security reasons.

The OAuth extension packages the statement in a Json Web Token (JWT). This token is cryptographically signed (using HMAC-sha1) using the shared secret that your application was issued during registration (your Consumer Secret).

Your application needs to both check the signature on the JWT (to ensure an attacker hasn't tampered with the contents) and validate that the JWT was issued to you (to prevent an attacker from replaying a previously issued JWT, for example).