OAuth scopes

[evanp]

Clients should be able to ask for different levels of access. Right now I can think of these levels:

• Read your profile
• Write your profile
• Read your social graph (followers, following, lists)
• Read your favourites
• Read your inbox
• Read your outbox
• Post response activities (like, comment, share) to stuff on their own site
• Post new content or other kinds of activities

There's probably a lot more.

[clacke]

• No access (pure authentication)

[matzegebbe]

We should be able to delete an access over the WUI after it was granted. (remove the accesstoken from database)

[evanp]

So, I worked on this for #530 , and after talking with @aaronpk I picked three scope values:

• "read": Read the user's data endpoints as the user. Useful for one-way bridges, authentication, network analysis, etc.
• "writeown": Create activities that are in response to or related to objects on the client's site. So, we'd use this for peers on the federated social web, or for games like OpenFarmGame.
• "writeall": Write any activities. This would be used for general-purpose clients.

I am not sure if we need more fine-grained scopes than that. With scopes, you trade off fine-grained control ("only allow this client to post Like activities on these servers", "only allow this client to read my followers but not my inbox") for user interface (there are so many options that people just click "OK" no matter what).

I think the above levels are probably enough. You can see the concerns that have come up, linked to this issue, and the three scopes mentioned cover those cases.