CloudServices/Sync/FxSync/Archived/OAuth
Back to Labs/Weave.
Note: this is lacking some design and discussion around Weave specifics. For example, the diagram doesn't take into account Weave's encryption model)
Introduction
A key goal of Weave is to enable third party applications to build services that make use of information stored in Weave.
It is a key principle of Weave that users own their data, and have complete control over its use. Users need to explicitly enable third parties to access their data.
Enabling that third party access should not require that users surrender their Weave login credentials to any third party.
This is the problem that OAuth was designed to solve.
Basic flow
Note: Weave is a "service provider" in OAuth parlance. Third-party applications wishing to access service provider data on behalf of a user are called "consumers".
The basic idea of OAuth Authentication is that:
1. The Consumer obtains an unauthorized "Request Token" from the Service Provider. 2. The User authorizes that Request Token with the Service Provider, then indicates to the Consumer that the token is authorized. 3. The Consumer then exchanges that Reqeust Token for an Access Token that it can then use to access the protected resources at the Service Provider.
In the success case, the flow would bascially be as follows:
