Re-introduce OAuth2 Security Scheme to TD

[mmccool]

Full OAuth2 was removed from the last TD spec due to a lack of implementations. However, it is important, and a full implementation is necessary for consistency with other standards. So we should re-introduce it... and get two implementations done. One of those should certainly be node-wot; we should discuss another. We probably should also define "features" as "OAuth2 flows" for test and validation purposes.l

It happens to also be important for some PoCs that are in progress.

[mmccool]

Action: Create a PR to re-introduce a "full" OAuth2 security scheme back into the TD spec.

[mmccool]

Notes:

1. probably should support ALL flows for consistency
2. should look again at OpenAPI and aim for consistency with that spec as well
3. should align with PoCs and implementation use cases, and with the node-wot "reference implementation"
4. should aim for release as part of the TD "update"

[relu91]

Just a couple of comments about oAuth2.0 code flow. As far as I understand the protocol, it requires user (human) interaction; therefore it is not feasible during a device to device communication (unless a human triggers this interaction? How to handle this scenario?). However, in eclipse/thingweb.node-wot#201 I pinpointed other two use cases where the user interacts through node-wot client with the device.

Finally, another flow that is worth to mention and it is quite well spread is the device extension flow. It still requires human intervention though.

[mmccool]

This issue can be closed now, we have reviewed the flows and decided to only allow "code" and "client" from the standard flows in TD 1.1, and also added "device". However, "password" and "implicit" are deprecated and not considered secure, so we are not including built-in support for them (they can however be used via an extension.)