- Client sends a request of the form:
- https://WIKI_AUTH_ENDPOINT/auth?response_type=code&client_id=CLIENT_ID& scope=SCOPE&state=STATE
- State is a random string generated by the client which will be sent back to the client.
- Server verifies that there is a logged-in user associated with the wiki
- If not, redirect to Special:UserLogin
- User is presented with the authorization dialog (client is not whitelisted)
- If the user does not approve, an authentication failure is returned
- If the user approves:
- Server generates authentication code
- Server redirects back to the client with:
- https://REDIRECT_URI/cb?code=AUTH_CODE&state=STATE
- Client sends a POST request to https://WIKI_AUTH_ENDPOINT/token with the following parameters:
- grant_type=authorization_code
- code=AUTH_CODE
- client_id=CLIENT_ID
- client_secret=CLIENT_SECRET
- Server responds with and access token and expiration or an error
- Configurable optional step to get user information from the server
- See also:
- OAuth 2.0 Spec: RFC 6749
- Simplified authentication workflow: https://aaronparecki.com/oauth-2-simplified/
- Client whitelisting (see step 3) is out of scope for this task but may be implemented later
- Research scope values
- Is there a standard approach for retrieving the user values?
- While the implementation should be independent of client, see "Configuring the JSON User Endpoint" at https://meta.discourse.org/t/oauth2-basic-support/33879 for how to retrieve user values from Discourse to return user id, username, full name (optional), and email (optional)
Priority: Must Have
Acceptance Criteria:
Case 1:
- User requests login from client
- User is already logged in to the server (wiki)
- User is presented with the authorization dialog
- User authorizes server
- RESULT: User is logged in to the client and returned user information is available
Case 2:
- User requests login from client
- User is already logged in to the server (wiki)
- User is presented with the authorization dialog
- User does not authorize server
- RESULT: User is not logged in to the client
Case 3:
- User requests login from client
- User is already not logged in to the server (wiki)
- User is presented with the log in page for the wiki
- User successfully logs in to the wiki
- User is presented with the authorization dialog
- User authorizes server
- RESULT: User is logged in to the client and returned user information is available
Case 4:
- User requests login from client
- User is not already logged in to the server (wiki)
- User is presented with the log in page for the wiki
- User successfully logs in to the wiki
- User is presented with the authorization dialog
- User does not authorize server
- RESULT: User is not logged in to the client
Case 5:
- User requests login from client
- User is not already logged in to the server (wiki)
- User is presented with the log in page for the wiki
- User does not successfully log in to the wiki
- RESULT: User is not logged in to the client or the server