Talk:Auth systems/OAuth/Design
Using OAuth to verify the identity of a Wiki user
editOne of the most important reasons that I have users log into their wiki account when they use WP:Snuggle is so that I can verify their identity (and good standing). I'm hoping that, when MediaWiki switches to an OAuth scheme, my users would not need to maintain a separate username and password in Snuggle in order to preserve an Access Token
.
- Unfortunately, OAuth is not an Authentication protocol. It is only meant to be used for Authorizing Snuggle to act on the user's behalf. If you need authentication, you'll want to look into OpenID. This blog post gives a good explanation of why this is the case. CSteipp (talk) 17:35, 5 June 2013 (UTC)
So here's the question: What would my use case look like for a user who had previously provided permission to a wiki-tool (Authorization Token
), but currently has not verified their identity with this wiki-tool?
Workflows for obtaining permission and verifying identity
editThis is how I understand the workflow when a user has not yet provided permission:
Client
asksServer
forRequest Token
Server
providesRequest Token
toClient
Client
forwards theResource Owner
to theServer
Resource Owner
logs into server and verifies permissionsServer
forwards theResource Owner
back toClient
Client
asksServer
for anAuthorization Token
(usingRequest Token
)Server
providesAuthorization Token
Client
asksServer
whoami (api.php?action=query&meta=userinfo)
At this point, Client
has verified Resource Owner's identity and can act on his/her behalf.
This is how I assume the workflow will look like for a user who had previously provided permission, but not verified his/her identity (differences are highlighted):
Client
asksServer
forRequest Token
Server
providesRequest Token
toClient
Client
forwards theResource Owner
to theServer
Resource Owner
logs in, but has already provided permissionServer
immediately forwards theResource Owner
back toClient
Client
asksServer
for anAuthorization Token
(usingRequest Token
)Server
provides the exact sameAuthorization Token
it previously hadClient
asksServer
whoami (api.php?action=query&meta=userinfo)
At this point, Client
has verified Resource Owner
's identity and can act on his/her behalf. Client
would have no need to store the Authorization Token
at all. Does this look right? --EpochFail (talk) 14:50, 5 June 2013 (UTC)