README
GNOME Online Accounts - Single sign-on framework for GNOME
==========================================================


Facebook
--------

OAuth 2.0:
https://developers.facebook.com/docs/authentication/
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow
https://developers.facebook.com/docs/reference/dialogs/oauth/
https://developers.facebook.com/tools/explorer/

Scopes: https://developers.facebook.com/docs/authentication/permissions/

Notes:
The client-side flow returns the access_token and expires_in in the URI's
fragment, and does not provide a refresh_token. However, if the user denied
access then the error is returned in the URI's query. The URIs look like this:
  - <get_redirect_uri>?#access_token=...
  - <get_redirect_uri>?error=access_denied...#_=_


Flickr
------

OAuth 1.0: http://www.flickr.com/services/api/auth.oauth.html


Foursquare
----------

OAuth 2.0: https://developer.foursquare.com/overview/auth


Google
------

OAuth 2.0:
https://developers.google.com/accounts/docs/OAuth2InstalledApp
https://developers.google.com/oauthplayground/

Scopes:
https://developers.google.com/accounts/docs/OAuth2Login
https://developers.google.com/google-apps/calendar/auth
https://developers.google.com/google-apps/contacts/v3/
https://developers.google.com/drive/web/scopes
https://developers.google.com/google-apps/gmail/oauth_protocol
https://developers.google.com/picasa-web/docs/2.0/developers_guide_protocol
https://developers.google.com/talk/jep_extensions/oauth
https://developers.google.com/cloud-print/docs/devguide

Sometimes the documentation does not mention the OAuth2 scopes that need to be
specified in the source code. In such cases, the following can be useful:
https://developers.google.com/oauthplayground/
https://discovery-check.appspot.com/

Notes:
We are allowed to embed the client_secret in the source code. See
https://developers.google.com/accounts/docs/OAuth2InstalledApp#overview


Pocket
------

OAuth 2.0 variant:
https://getpocket.com/developer/docs/authentication

Authenticating with a Firefox Account is not documented. These slides are
useful:
http://www.slideshare.net/KuoE0/pocket-authentication-with-oauth-on-firefox-os


Todoist
-------

OAuth 2.0: https://developer.todoist.com/


Windows Live
------------

OAuth 2.0: http://msdn.microsoft.com/en-us/library/live/hh243647.aspx

Scopes:
http://msdn.microsoft.com/en-us/library/live/hh243646.aspx
http://blogs.office.com/b/microsoft-outlook/archive/2013/09/12/outlook-com-now-with-imap.aspx

Notes:
We do not need the client_secret because we are marked as a desktop or mobile
application, and we use https://login.live.com/oauth20_desktop.srf as the
redirect_uri.