[User] Visit: http://app.example.com
[App] What wiki do you want to edit?
[User] http://en.wikipedia.org/wiki/Main_Page
// [App] GET http://en.wikipedia.org/wiki/Main_Page HTTP/1.1
// [App] GET http://en.wikipedia.org/w/api.php?action=rsd HTTP/1.1
???
[App] GET https://$discovery[]/discovery?url={http://en.wikipedia.org/wiki/Main_Page}
[Discovery] GET http://en.wikipedia.org/wiki/Main_Page
[...]
[Discovery] GET http://en.wikipedia.org/w/api.php?action=oauth2.key
< {WP-PUBKEY}
[App<-Discovery]
{
"api": "http://en.wikipedia.org/w/api.php",
"oauth2": {
"authorization": "http://en.wikipedia.org/w/index.php?title=Special:OAuth",
"token": "http://en.wikipedia.org/w/api.php?action=oauth2.token",
"revoke": "http://en.wikipedia.org/w/api.php?action=oauth2.revoke",
"register": "http://en.wikipedia.org/w/api.php?action=oauth2.register",
"pubkey": "{WP-PUBKEY}"
}
}
[App] POST http://en.wikipedia.org/w/api.php?action=oauth2.register
{
"type": "pull",
"url": "http://app.example.com/client.json",
"": {
"": "",
"": "[SECRET KEY ENCRYPTED WITH WP-PUBKEY]"
}
}
[WP] GET http://app.example.com/client.json
{
[...]
// "": [ "basic", "mac" ]
}
[App<-WP]
{ENCRYPTED WITH SECRETKEY}
{
"client_id": "...",
"client_secret": "...",
"client_secret_type": "mac",
"mac_": "..."
}
[] http://en.wikipedia.org/w/index.php?title=Special:OAuth&response_type=code&client_id=...&redirect_uri=...&state=...
http://app.example.com/oauth?code=...&state=...
POST http://en.wikipedia.org/w/api.php?action=oauth2.token
Authorization: MAC ...
grant_type=authorization_code&code=...&redirect_uri=...
{
"access_token": "...",
"token_type": "mac",
"expires_in": "...",
"refresh_token": "...",
}
((How do we get this encrypted so that a mitm can't take the tokens?))