README

Allows other sites to use the elgg server as an oauth identity manager

1. Register a new application at /admin/applications
2. Authorize the user by having them log in at [url]/oauth/authorize?client_id=xxxxxxxx&state=xxxxxxxx&response_type=code&scope=user where client_id is the generated id of the application, and the state is a random string to prevent CSRF attacks
3. The user will log in if necessary and authorize the application
4. The user will be redirected back to the redirect_uri with the original state in a query param and a code: [redirect_uri]?state=xxxxxx&code=xxxxxxxx
5. Make a POST request to /oauth/token with body params of

    {
        client_id: xxxxxxxx,
        client_secret: xxxxxxx,
        grant_type: 'authorization_code',
        redirect_uri: 'https://xxxxxxxxxxxxx',
        code: xxxxxxxxxx
    }

1. The result will be an access token

    {
        "access_token": "369e27dae447d3856fc538a217536b186cea1bc3",
        "expires_in": 3600,
        "token_type": "Bearer",
        "scope": "user",
        "refresh_token": "3c706473a576815c503a119626d674331becc4c8"
    }

1. The access token in the header: Authorization: Bearer 369e27dae447d3856fc538a217536b186cea1bc3 for future OAuth api calls
2. Retrieve the user info from the GET endpoint /oauth/api/me

    {
        "name": "Matt Beckett",
        "username": "mbeckett",
        "email": "matt@arckinteractive.com"
    }

1. Use the refresh token to get a fresh access token if necessary, make a POST request to /oauth/token with body params of

    {
        client_id: xxxxxxxx,
        client_secret: xxxxxxx,
        grant_type: 'refresh_token',
        refresh_token: xxxxxxxxxx
    }