Read and document the OAuth 2.0 RFC

[miniluz]

Read the OAuth 2.0 RFC-6749 and write down what you actually need to implement.

[miniluz]

Having read it, I have decided to only support the authorization code grant. It seems sufficient for what I want with this project.

[miniluz]

As I've been unable to find a proper graph for the flow, I will insert from the RFC verbatum here:

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          v
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

Figure 3 from the OAuth 2.0 RFC

[miniluz]

The following endpoints thus need to be implemented, each one with their own issues:

1. Client registration (RFC): For the client to identify itself. Implementation details are unspecified.
2. Authorization (RFC): Resource owner identifies and authorizes the client, returns an authorization code grant.
3. Token (RFC): Client submits authorization code grant and is returned a token.