Add Gitbook guide

Author: rmccue

README.md

@@ -1,51 +1,26 @@
-# OAuth 1.0a Server for WordPress
-This project is an OAuth 1.0a-compatible authentication method for WordPress.
-This is a separate-but-related project to [WP API][], designed to provide
-authentication suitable for the API.
+# WP REST API - OAuth 1.0a Server
 
-## Documentation
+Connect applications to your WordPress site without ever giving away your password.
 
-Read the [plugin's documentation][docs].
+This plugin uses the OAuth 1.0a protocol to allow delegated authorization; that is, to allow applications to access a site using a set of secondary credentials. This allows server administrators to control which applications can access the site, as well as allowing users to control which applications have access to their data.
 
-[docs]: https://github.com/WP-API/OAuth1/tree/master/docs
+## New to OAuth
 
+We strongly recommend you use an existing OAuth library. You'll be best off if you understand the authorization process, but leave the actual implementation to well-tested libraries, as there are a lot of edge cases.
 
-## Quick Setup
+Start reading from [the Introduction](docs/introduction/README.md) to get started!
 
-Want to test out the OAuth API and work on it? Here's how you can set up your own
-testing environment in a few easy steps:
+## For OAuth Veterans
 
-1. Install [Vagrant](http://vagrantup.com/) and [VirtualBox](https://www.virtualbox.org/).
-2. Clone [Chassis](https://github.com/Chassis/Chassis):
+If you already know how to use OAuth, here's the lowdown:
 
-   ```bash
-   git clone --recursive [email protected]:Chassis/Chassis.git api-tester
-   ```
-
-3. Grab a copy of WP API and OAuth API:
-
-   ```bash
-   cd api-tester
-   mkdir -p content/plugins content/themes
-   cp -r wp/wp-content/themes/* content/themes
-   git clone --recursive [email protected]:WP-API/WP-API.git content/plugins/json-rest-api
-   git clone [email protected]:WP-API/OAuth1.git content/plugins/oauth-server
-   ```
-
-4. Start the virtual machine:
-
-   ```bash
-   vagrant up
-   ```
-
-5. Browse to http://vagrant.local/wp/wp-admin/ and activate the WP API and OAuth
-   API plugins
-
-   ```
-   Username: admin
-   Password: password
-   ```
-
-6. Refer to the [documentation][docs] on how to connect an OAuth client.
-
-[WP API]: https://github.com/WP-API/WP-API
+* The plugin uses **OAuth 1.0a** in
+* We use the **three-legged flow**
+* To find the REST API index, apply the [API autodiscovery process](http://v2.wp-api.org/guide/discovery/)
+* The endpoints for the OAuth process are available in the REST API index: check for `$.authentication.oauth1` in the index data.
+    * The **temporary credentials** (request token) endpoint is `$.authentication.oauth1.request` (typically `/oauth1/request`)
+    * The **authorization** endpoint is `$.authentication.oauth1.authorize` (typically `/oauth1/authorize`)
+    * The **token exchange** (access token) endpoint is `$.authentication.oauth1.access` (typically `/oauth1/access`)
+* Your callback URL must match the registered callback URL for the application in the scheme, authority (user/password) host, port, and path sections. (**Subpaths are not allowed.**)
+* The only signature method supported is **HMAC-SHA1**.
+* OAuth parameters are supported in the Authorization header, query (GET) parameters, or request body (POST) parameters (if encoded as `application/x-www-form-urlencoded`). **OAuth parameters are not supported in JSON data.**

book.json

@@ -0,0 +1,16 @@
+{
+  "gitbook": "2.4.3",
+  "structure": {
+    "summary": "docs/README.md"
+  },
+  "plugins": ["edit-link", "prism", "-highlight", "github"],
+  "pluginsConfig": {
+    "edit-link": {
+      "base": "https://github.com/WP-API/OAuth1/tree/master",
+      "label": "Edit This Page"
+    },
+    "github": {
+      "url": "https://github.com/WP-API/OAuth1/"
+    }
+  }
+}

docs/.gitignore

@@ -0,0 +1,16 @@
+# Node rules:
+## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+## Dependency directory
+## Commenting this out is preferred by some people, see
+## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git
+node_modules
+
+# Book build output
+_book
+
+# eBook build output
+*.epub
+*.mobi
+*.pdf

docs/README.md

@@ -0,0 +1,14 @@
+# Table of Contents
+
+* [Start Here](/README.md)
+* [Introduction](/docs/introduction/README.md)
+    * [Why OAuth?](/docs/introduction/OAuth.md)
+    * [Why OAuth 1.0a?](/docs/introduction/OAuth-1.md)
+    * [Setup](/docs/introduction/Setup.md)
+* [Basics](/docs/basics/README.md)
+    * [Registering an Application](/docs/basics/Registering.md)
+    * [The Authorization Flow](/docs/basics/Auth-Flow.md)
+    * [Signing Requests](/docs/basics/Signing.md)
+* [Advanced](/docs/advanced/README.md)
+    * [Desktop/Mobile Clients](/docs/advanced/Desktop.md)
+    * [Web Clients](/docs/advanced/Web.md)

docs/advanced/Desktop.md

@@ -0,0 +1,34 @@
+# Desktop/Mobile Clients
+
+OAuth was originally designed for web applications, so desktop and mobile clients may wish to use the OAuth flow slightly differently. The authorization flow for OAuth requires both a browser and a callback URL for the second leg.
+
+
+## Callback URL Schemes
+
+The OAuth plugin supports any valid URL scheme, including custom schemes. This allows using custom schemes for callback URLs, which can then trigger your application. Note that for custom schemes, the authority (user and password) part must be empty, and the host **must not be empty** and must not contain invalid characters (such as `:#?[]`).
+
+For example, the following URLs are **invalid**:
+* `custom-app://`
+* `custom-app://?oauth_callback`
+* `custom-app://user:pass@oauth_callback`
+
+The following URLs are **valid**:
+* `custom-app://oauth_callback`
+* `custom-app://oauth?callback`
+* `custom-app://oauth/callback`
+* `custom-app://oauth_callback:42`
+
+
+## Out-of-Band Flow
+
+For clients without the ability to handle a callback URL, an out-of-band flow can be used. Rather than redirecting the user after authorization, this flow displays the verifier token to the user to copy to the client.
+
+To trigger the out-of-band flow, the callback URL must be set to `oob`. After the user has authorized the application, they'll be redirected to an internal page on the site which displays the verifier token. This can either be copy-and-pasted into the client (e.g. for command-line applications), or typed in manually.
+
+With the callback URL set to `oob`, the supplied callback and registered callback must match exactly, and must be `oob`. This means that clients can either have a callback URL **or** out-of-band handling, and cannot work with both.
+
+
+## Best Practices
+
+* Clients should use callback URLs if at all possible, with out-of-band flow as a last resort.
+* Clients should prefer the system browser rather a built-in browser, as the former typically has allows better usage of saved passwords. Using a built-in browser also gives a dangerous signal to users, as a compromised app could fake a login screen and phish their credentials.

docs/advanced/README.md

@@ -0,0 +1,4 @@
+# Advanced
+
+* [Desktop/Mobile Clients](Desktop.md)
+* [Web Clients](Web.md)

docs/advanced/Web.md

@@ -0,0 +1,29 @@
+# Web Clients
+
+OAuth was originally designed for working with web clients, so the process should be fairly smooth for most developers. There are some use cases that are tricky however, although not impossible to work with.
+
+
+## Distributed or Multi-Domain Clients
+
+One issue for clients with multiple domains (such as multisite WordPress installs) is callbacks: clients can only have a single registered callback, with no variation in most of the URL. This can make working with multiple domains tricky.
+
+This can be easily handled by adding extra query parameters to the callback URL, as these **can** be set on a per-request basis. These can then be handled by your callback URL to pass on to a secondary callback.
+
+For example, for a WordPress multisite, set the callback URL to a URL on the main site. A `site={id}` parameter can then be added when setting the callback for the request. The callback can then redirect the user's browser to a per-site callback based on this parameter (ensuring to pass along the `oauth_token` and `oauth_verifier` parameters.)
+
+**Note:** When using this method, be sure to verify the site. Check that the request token being handled was actually created by the site asking for it. If you're using domains instead of site IDs, be *very* careful not to redirect to an unknown domain. Failure to check this can easily lead to CSRF (phishing) attacks.
+
+
+## In-Browser Clients
+
+Increasingly with modern JavaScript-based applications, the application may run entirely in the user's browser. OAuth 1 was (unfortunately) not designed for this use case. OAuth 2 goes a long way to correcting this, but as mentioned previously, [we can't use it :(](../introduction/OAuth-1.md)
+
+This primarily falls down to  the application secret. OAuth 1.0a relies on the client secret being secret (duh) as the basis for the authorization flow. This is core to the signature process. Without this being secret, other applications can issue their own tokens as your application. OAuth 2 makes allowances for clients with public secrets with the `implicit` flow.
+
+The simplest way to handle this is to introduce a minimal server-side component. This can be created from scratch, or a prebuilt server such as [Guardian](http://guardianjs.com/) can be used instead.
+
+
+## Best Practices
+
+* Never expose secrets, such as in JS client-side applications. Instead, use a proxy to handle the OAuth authentication.
+* Similarly, never expose the verifier to sites outside of your control. The verifier is specifically intended for CSRF mitigation, so be exceedingly careful before passing it on to another URL.

docs/basics/Auth-Flow.md

@@ -0,0 +1,90 @@
+# The Authorization Flow
+
+The key to understanding how OAuth works is understanding the authorization flow. This is the process clients go through to link to a site.
+
+The flow with the OAuth plugin is called the **three-legged flow**, thanks to the three primary steps involved:
+
+* **Temporary Credentials Acquisition**: The client gets a set of temporary credentials from the server.
+* **Authorization**: The user "authorizes" the request token to access their account.
+* **Token Exchange**: The client exchanges the short-lived temporary credentials for a long-lived token.
+
+## Temporary Credentials Acquisition
+
+The first step to authorization is acquiring temporary credentials (also known as a **Request Token**). These credentials are short-lived (typically 24 hours), and are used purely for the initial authorization process. They don't grant any access to data on the server, and cannot be used for anything except the authorization flow.
+
+These credentials are acquired by an initial HTTP request to the server. The client starts by sending a POST request to the temporary credential URL, typically `/oauth1/request` with the plugin. (This URL should be autodiscovered from the API, as individual sites may move this route, or delegate the process to another server.) This looks something like:
+
+This request includes the client key (`oauth_consumer_key`), the authorization callback (`oauth_callback`), and the request signature (`oauth_signature` and `oauth_signature_method`). This looks something like:
+
+```
+POST /oauth1/request HTTP/1.1
+Host: server.example.com
+Authorization: OAuth realm="Example",
+               oauth_consumer_key="jd83jd92dhsh93js",
+               oauth_signature_method="HMAC-SHA1",
+               oauth_timestamp="123456789",
+               oauth_nonce="7d8f3e4a",
+               oauth_callback="http%3A%2F%2Fclient.example.com%2Fcb",
+               oauth_signature="..."
+```
+
+The server checks the key and signature to ensure the client  is valid. It also checks the callback to ensure it's valid for the client.
+
+Once the checks are complete, the server creates a new set of Temporary Credentials (`oauth_token` and `oauth_token_secret`) and returns them in the HTTP response (URL encoded). This looks something like:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/x-www-form-urlencoded
+
+oauth_token=hdk48Djdsa&oauth_token_secret=xyz4992k83j47x0b&oauth_callback_confirmed=true
+```
+
+These credentials are then used as the `oauth_token` and `oauth_token_secret` parameters for the Authorization and Token Exchange steps.
+
+(The `oauth_callback_confirmed=true` will always be returned, and indicates that the protocol is OAuth 1.0a.)
+
+
+## Authorization
+
+The next step in the flow is the authorization process. This is a user-facing step, and the one that most users will be familiar with.
+
+Using the authorization URL supplied by the site (typically `/oauth1/authorize`), the client appends the temporary credential key (`oauth_token` from above) to the URL as a query parameter (again as `oauth_token`). The client then directs the user to this URL. Typically, this is done via a redirect for in-browser clients, or opening a browser for native clients.
+
+The user then logs in if they aren't already, and authorizes the client. They can also choose to cancel the authorization process if they don't want to link the client.
+
+If the user authorizes the client, the site then marks the token as authorized, and redirects the user back to the callback URL. The callback URL includes two extra query parameters: `oauth_token` (the same temporary credential token) and `oauth_verifier`, a CSRF token that needs to be passed in the next step.
+
+
+## Token Exchange
+
+The final step in authorization is to exchange the temporary credentials (request token) for long-lived credentials (also known as an **Access Token**). This request also destroys the temporary credentials.
+
+The temporary credentials are converted to long-lived credentials by sending a POST request to the token request endpoint (typically `/oauth1/access`). This request must be signed by the temporary credentials, and must include the `oauth_verifier` token from the authorization step. The request looks something like:
+
+```
+POST /oauth1/access HTTP/1.1
+Host: server.example.com
+Authorization: OAuth realm="Example",
+               oauth_consumer_key="jd83jd92dhsh93js",
+               oauth_token="hdk48Djdsa",
+               oauth_signature_method="HMAC-SHA1",
+               oauth_timestamp="123456789",
+               oauth_nonce="7d8f3e4a",
+               oauth_verifier="473f82d3",
+               oauth_signature="..."
+```
+
+The server again checks the key and signature, as well as also checking the verifier token to [avoid CSRF attacks](http://oauth.net/advisories/2009-1/).
+
+Assuming these checks all pass, the server will respond with the final set of credentials in the HTTP response body (form data, URL-encoded):
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/x-www-form-urlencoded
+
+oauth_token=j49ddk933skd9dks&oauth_token_secret=ll399dj47dskfjdk
+```
+
+At this point, you can now discard the temporary credentials (as they are now useless), as well as the verifier token.
+
+Congratulations, your client is now linked to the site!

docs/basics/README.md

@@ -0,0 +1,5 @@
+# Basics
+
+* [Registering an Application](Registering.md)
+* [The Authorization Flow](Auth-Flow.md)
+* [Signing Requests](Signing.md)

docs/basics/Registering.md

@@ -0,0 +1,17 @@
+# Registering an Application
+
+Before you can talk to the server, you need to establish your credentials on the site. This involves registering your application with the site.
+
+Applications can only be registered by site administrators, and must be registered on each site individually. (We're working on making it possible in the future to register once with a central authority to make this process easier.)
+
+To register an application, open your site dashboard and head to Users > Applications, then click Add New. You'll need to enter the name of the application, an optional description, and the callback URL. This callback URL is used during the authorization process to redirect users back to after connecting. This URL can be changed later if you don't have a callback endpoint yet.
+
+## Callback URLs
+
+The callback URL is used during the authorization process. After users authorize your application on the site, they'll be redirected back to your callback URL. This callback needs to save the verifier token passed in, which is used in the third leg of the flow. The callback also typically starts the third leg (token exchange) on the server side. (The next section, [the Authorization Flow](Auth-Flow.md), expands more on how the callback URL is used.)
+
+At the start of the OAuth flow, you pass in your OAuth callback URL for the specific request, which allows you to customise the callback URL for each request as needed. The OAuth plugin requires that your supplied callback URL match the scheme, authority (user and password part), host, port, and path of the registered callback URL. Only the query parameters and fragment (hash part) may differ from your registered URL. (This differs from some OAuth implementations, which allow subpaths of the callback URL.)
+
+For sites with multiple domains or subdomains (e.g. a WordPress multisite network), the recommended method for handling this is to have a singular "main" callback URL which redirects to the specific site. During the request process, the site ID can then be added to the callback URL as a query parameter.
+
+[Non-web applications](../advanced/Desktop.md) may wish to use custom URL schemes, or out-of-band handling. Out-of-band handling is triggered by setting the callback URL to the string `oob`. Rather than redirect after authorization, the site will instead display the verifier code to the user, which they then copy-and-paste or otherwise provide to the application.