Description
Documentation: https://docs.google.com/document/d/1vEPFlX79oa1foBmar6i8nvw-hB4SXfVqg6o6Wsdl1kQ/edit
Author: @kegsay
We want third parties (ASes, random web apps which use OAuth to login as someone) to be able to act on behalf of real matrix users. Currently, they simply can't, as they can't authenticate as a given user_id.
We should probably expose a CS HTTP API endpoint /oauth which expects to be hit with a redirect_uri, scopes, etc and ideally a browser-sent access_token from the redirect (obviously not automatic given the token is a query param and not a Cookie :( ). If not logged in, you'd need to login as usual for that HS (e.g. m.login.password) and then go to the "Accept scopes" page. This will then return a token which the 3rd party service can use as an access_token.
Note that this is completely different to the role HSes play during reg/login where we ARE the "web app" wanting to authenticate on another 3rd party (FB/G+/etc).
This is becoming increasingly important as more services wish to authenticate as existing user IDs rather than having user ID fragmentation/namespace hell.
(Imported from https://matrix.org/jira/browse/SPEC-206)
(Reported by @kegsay)