Mobile Open Auth
- the user launch the APP
- the user goes to settings
- the user add a site
- the user enter site url, website consumer key and website consumer secret
- the user is redirected to Moodle login page (an inside browser)
- the user login Moodle. Moodle displays a 'authentication requested by NAME_OF_THE_APP' button
- the user accepts and Moodle sends (displays ?) a Mobile ws token to the APP
- the APP tests the connection
A simple intro of how OAuth works, let's say moodle mobile app is a oauth client, moodle website as oauth server.
- oauth client needs consumer key and consumer secret to initiate an oauth session
- oauth client create signature by HMAC-SHA1 using consumer secret, consumer key, timestamp, nonce, callback, sending signature along with these parameters(except secret) to oauth server, then you got oauth token, oauth token secret
- oauth client open authorize_url (using oauth token as parameter), leave oauth token secret in client, click 'approve' button in authorize_url
- oauth server will direct you to your callback url, The callback request informs the client that user completed the authorization process
- Now use oauth token and oauth token secret to request access key (need to generate a new signature), store access key and access secret in oauth client, this is the final credentials you need for request protected resource, it need to be included in http header and the signature need to be updated as well.