Requesting user authorization

[jaredhanson]

Looking over the sideway client, I think I've got a reasonably working implementation of Oz using the available endpoints (/app, /reissue, /rsvp).

The one thing that I'm unclear of is how an app obtains a ticket that has been authorized by the user.

Here's my best guess:

1. App calls /app (with credentials) to get an app ticket (with optional requested scope?)
2. App sends app ticket to Oz authorization server for user approval
3. Oz authorization server conducts dialog with user to grant access
4. Oz authorization server issues rsvp ticket to app
5. Application exchanges rsvp ticket, at /rsvp, for an authorized user ticket.

Questions:

On 1, is the app ticket intended to be used as a temporary "request token" (ala OAuth 1.0), or should something else be used? How do 2 and 4 work? Is it intended to be redirect based, and if so, what are the requirements of the client in order to indicate the redirect URIs?

Excellent work on this!

[hueniverse]

The app ticket can be used for additional rsvp exchanges as well as accessing app-specific resources. The method through which the user is redirected is not specified at this time. There are plenty of well-established ways to do that. Also see new docs.