User:Dantman/OAuth/SecDiscoveFlow

From mediawiki.org
[User] Visit: http://app.example.com
[App] What wiki do you want to edit?
[User] http://en.wikipedia.org/wiki/Main_Page
// [App] GET http://en.wikipedia.org/wiki/Main_Page HTTP/1.1
// [App] GET http://en.wikipedia.org/w/api.php?action=rsd HTTP/1.1
???

[App] GET https://$discovery[]/discovery?url={http://en.wikipedia.org/wiki/Main_Page}
[Discovery] GET http://en.wikipedia.org/wiki/Main_Page
[...]
[Discovery] GET http://en.wikipedia.org/w/api.php?action=oauth2.key
< {WP-PUBKEY}

[App<-Discovery]
{
  "api": "http://en.wikipedia.org/w/api.php",
  "oauth2": {
    "authorization": "http://en.wikipedia.org/w/index.php?title=Special:OAuth",
    "token": "http://en.wikipedia.org/w/api.php?action=oauth2.token",
    "revoke": "http://en.wikipedia.org/w/api.php?action=oauth2.revoke",
    "register": "http://en.wikipedia.org/w/api.php?action=oauth2.register",
    "pubkey": "{WP-PUBKEY}"
  }
}

[App] POST http://en.wikipedia.org/w/api.php?action=oauth2.register
{
  "type": "pull",
  "url": "http://app.example.com/client.json",
  "": {
    "": "",
    "": "[SECRET KEY ENCRYPTED WITH WP-PUBKEY]"
  }
}

[WP] GET http://app.example.com/client.json
{
  [...]
//  "": [ "basic", "mac" ]
}

[App<-WP]
{ENCRYPTED WITH SECRETKEY}
{
  "client_id": "...",
  "client_secret": "...",
  "client_secret_type": "mac",
  "mac_": "..."
}

[] http://en.wikipedia.org/w/index.php?title=Special:OAuth&response_type=code&client_id=...&redirect_uri=...&state=...

http://app.example.com/oauth?code=...&state=...

POST http://en.wikipedia.org/w/api.php?action=oauth2.token
Authorization: MAC ...
grant_type=authorization_code&code=...&redirect_uri=...

{
  "access_token": "...",
  "token_type": "mac",
  "expires_in": "...",
  "refresh_token": "...",
}
((How do we get this encrypted so that a mitm can't take the tokens?))