An authentication model for third party apps
I give a flow of things that'll happen in the model I propose.
1 User provides Diaspora ID to the app.
2 App contacts the user pod, provides the username, access scopes necessary, and developer (author) id (Diaspora ID of the developer) . Redirect user to login page.
3 User gives her username and password and agrees to allow the application to access her data. Access scopes the app requested are displayed to the user.
4 Application is granted an refresh token which is sent to the developer's pod encrypted for the developer. app must have the ability to securely retrieve the token from the developers pod.
This model uses the developer ID as the trust anchor, refresh tokens (which are temporal, lasting for a limited time) are used to get access tokens.
Use access scopes to define what apps are allowed to do on users data.