Copy edit OAuth section

nmelehan · nmelehan · commit 39d230956172 · 2020-01-24T02:14:04.000-05:00
Various typo fixes and copy edits
Added more definitions for public vs private clients
Added H3 subsection headers:
- OAuth Workflow
- OAuth Private Workflow - Additional Details
diff --git a/openapi.yaml b/openapi.yaml
@@ -37,7 +37,7 @@ info:
     generated from the
     <a target="_top" href="https://cloud.linode.com/profile/tokens">Linode Cloud Manager</a>.
 
-    All scopes for the OAuth security model (defined below) apply to this
+    All scopes for the OAuth security model ([defined below](#o-auth)) apply to this
     security model as well.
 
     ### Authentication
@@ -47,49 +47,59 @@ info:
     | **HTTP Authorization Scheme** | bearer |
 
     ## OAuth
-    If all you need is a Personal Access Token, feel free to skip ahead to the next section.
+    If you only need to access the Linode API for personal uses,
+    we recommend that you create a [personal access token](#personal-access-token).
+    If you're designing an application that can authenticate with an arbitrary Linode user, then
+    you should use the OAuth 2.0 workflows presented in this section.
 
-    For more help on OAuth see our guide on [How to Create an OAuth App with the Linode Python API Library](https://www.linode.com/docs/platform/api/how-to-create-an-oauth-app-with-the-linode-python-api-library/#oauth-2-authentication-exchange).
+    For a more detailed example of an OAuth 2.0 implementation, see our guide on [How to Create an OAuth App with the Linode Python API Library](https://www.linode.com/docs/platform/api/how-to-create-an-oauth-app-with-the-linode-python-api-library/#oauth-2-authentication-exchange).
 
-    Before you begin, you need to creat an OAuth client. You can do this [with the API](https://developers.linode.com/api/v4/account-oauth-clients/#post) or [via the Cloud Manager](https://cloud.linode.com/profile/clients).
+    Before you implement OAuth in your application, you first need to create an OAuth client. You can do this [with the Linode API](https://developers.linode.com/api/v4/account-oauth-clients/#post) or [via the Cloud Manager](https://cloud.linode.com/profile/clients):
 
-      - For this you will pass a `label` and a `redirect_uri`.
-      - The return from this endpoint will give you a `client_id` and a `secret`.
-      - You can choose to make this `public`. The workflow below is split for public and private paths where they diverge.
+      - When creating the client, you'll supply a `label` and a `redirect_uri` (referred to as the Callback URL in the Cloud Manager).
+      - The response from this endpoint will give you a `client_id` and a `secret`.
+      - Clients can be public or private, and are private by default. You can choose to make the client public when it is created.
+        - A private client is used with applications which can securely store the client secret (that is, the secret returned to you when you first created the client). For example, an application running on a secured server that only the developer has access to would use a private OAuth client. This is also called a confidential client in some OAuth documentation.
+        - A public client is used with applications where the client secret is not guaranteed to be secure. For example, a native app running on a user's computer may not be able to keep the client secret safe, as a user could potentially inspect the source of the application. So, native apps or apps that run in a user's browser should use a public client.
+        - Public and private clients follow different workflows, as described below.
 
-    The OAuth workflow is a series of exchanges between your third-party app and Linode used
+    ### OAuth Workflow
+
+    The OAuth workflow is a series of exchanges between your third-party app and Linode. The workflow is used
     to authenticate a User before an application can start making API calls on the User's behalf.
 
     | PRIVATE WORKFLOW | PUBLIC WORKFLOW |
-    |------------------|-----------------|
+    |------------------|------------------|
     | 1.  The User visits the application's website and is directed to login with Linode. | 1.  The User visits the application's website and is directed to login with Linode. |
-    | 2.  Your application then redirects the user to Linode's [authentication server](https://login.linode.com) with the client application's `client_id` and requested OAuth `scope`, which appear in the URL of the login page. | 2.  Your application then redirects the user to Linode's [authentication server](https://login.linode.com) with the client application's `client_id` and requested OAuth `scope`, which appear in the URL of the login page. |
+    | 2.  Your application then redirects the user to Linode's [authentication server](https://login.linode.com) with the client application's `client_id` and requested OAuth `scope`, which should appear in the URL of the login page. | 2.  Your application then redirects the user to Linode's [authentication server](https://login.linode.com) with the client application's `client_id` and requested OAuth `scope`, which should appear in the URL of the login page. |
     | 3.  The user logs into the authorization server with their username and password. | 3.  The user logs into the authorization server with their username and password. |
-    | 4.  The authorization server redirects the user to the specificed redirect URL with a temporary authorization `code` (exchange code) in the URL. | 4.  The authorization server redirects the user back to your applaction with an OAuth token in the URL hash. This is temporary and expires in 2 hours without a `refresh_token`. |
-    | 5.  The application issues a POST request (*see below*) to the authentication server with the exchange code, `client_id`, and the client application's `client_secret`. In return, the server returns an OAuth token and `refresh_token`. |  |
-    | 6.  The authentication server responds to the client application with a new OAuth `access_token`. `access_token` is set to expire in 2 hours. |  |
+    | 4.  The authorization server redirects the user to the specificed redirect URL with a temporary authorization `code` (exchange code) in the URL. | 4.  The authorization server redirects the user back to your application with an OAuth `access_token` embedded in the redirect URL's hash. This is temporary and expires in 2 hours without a `refresh_token`. |
+    | 5.  The application issues a POST request (*see below*) to the authentication server with the exchange code, `client_id`, and the client application's `client_secret`. | |
+    | 6.  The authentication server responds to the client application with a new OAuth `access_token` and `refresh_token`. The `access_token` is set to expire in 2 hours. | |
     | 7.  The `refresh_token` can be used to get a new OAuth `access_token`, good for another 2 hours, and a new `refresh_token`, which you can use to extend the session again by this same method, by contacting the authentication server again with the `client_id`, `client_secret`, and `refresh_token`. | |
 
-      The following is more information for the private workflow expanding on step 5 and beyond.
+    ### OAuth Private Workflow - Additional Details
 
-      Once the User has logged into Linode and you have received an exchange code,
-      you will need to trade that exchange code for an Authorization token. You
-      do this by making an HTTP POST request to the following address:
+    The following information expands on steps 5 through 7 of the private workflow:
 
-      ```
-      https://login.linode.com/oauth/token
-      ```
+    Once the User has logged into Linode and you have received an exchange code,
+    you will need to trade that exchange code for an `access_token` and `refresh_token`. You
+    do this by making an HTTP POST request to the following address:
 
-      Make this request as `application/x-www-form-urlencoded` or as
-      `multipart/form-data` and include the following parameters in the POST body:
+    ```
+    https://login.linode.com/oauth/token
+    ```
 
-      | PARAMETER | DESCRIPTION |
-      |-----------|-------------|
-      | client_id | Your app's client ID. |
-      | client_secret | Your app's client secret. |
-      | code | The code you just received from the redirect |
+    Make this request as `application/x-www-form-urlencoded` or as
+    `multipart/form-data` and include the following parameters in the POST body:
 
-    You'll get a reponse like this:
+    | PARAMETER | DESCRIPTION |
+    |-----------|-------------|
+    | client_id | Your app's client ID. |
+    | client_secret | Your app's client secret. |
+    | code | The code you just received from the redirect. |
+
+    You'll get a response like this:
 
     ```json
     {
@@ -100,18 +110,20 @@ info:
     }
     ```
 
-    Included in the reponse is `access_token`. With this token, you can proceed to make
+    Included in the reponse is an `access_token`. With this token, you can proceed to make
     authenticated HTTP requests to the API by adding this header to each request:
 
     ```
     Authorization: Bearer 03d084436a6c91fbafd5c4b20c82e5056a2e9ce1635920c30dc8d81dc7a6665c
     ```
 
-    ### Authentication
+    ### OAuth Reference
 
-    | Security Scheme Type: | Oauth2 |
+    | Security Scheme Type | OAuth 2.0 |
     |-----------------------|--------|
-    | **AuthorizationCode Oauth Flow** |  **Authorization URL:** https://login.linode.com/oauth/authorize<br />**Token URL:** https://login.linode.com/oauth/token<br />**Scopes:**<br /><ul><li>`account:read_only` - Allows access to GET information about your Account.</li><li>`account:read_write` - Allows access to all endpoints related to your Account.</li><li>`domains:read_only` - Allows access to GET Domains on your Account.</li><li>`domains:read_write` - Allows access to all Domain endpoints.</li><li>`events:read_only` - Allows access to GET your Events.</li><li>`events:read_write` - Allows access to all endpoints related to your Events.</li><li>`images:read_only` - Allows access to GET your Images.</li><li>`images:read_write` - Allows access to all endpoints related to your Images.</li><li>`ips:read_only` - Allows access to GET your ips.</li><li>`ips:read_write` - Allows access to all endpoints related to your ips.</li><li>`linodes:read_only` - Allows access to GET Linodes on your Account.</li><li>`linodes:read_write` - Allow access to all endpoints related to your Linodes.</li><li>`lke:read_only` - Allows access to GET LKE Clusters on your Account.</li><li>`lke:read_write` - Allows access to all endpoints related to LKE Clusters on your Account.</li><li>`longview:read_only` - Allows access to GET your Longview Clients.</li><li>`longview:read_write` - Allows access to all endpoints related to your Longview Clients.</li><li>`nodebalancers:read_only` - Allows access to GET NodeBalancers on your Account.</li><li>`nodebalancers:read_write` - Allows access to all NodeBalancer endpoints.</li><li>`stackscripts:read_only` - Allows access to GET your StackScripts.</li><li>`stackscripts:read_write` - Allows access to all endpoints related to your StackScripts.</li><li>`volumes:read_only` - Allows access to GET your Volumes.</li><li>`volumes:read_write` - Allows access to all endpoints related to your Volumes.</li></ul><br />|
+    | **Authorization URL** | https://login.linode.com/oauth/authorize |
+    | **Token URL** | https://login.linode.com/oauth/token |
+    | **Scopes** | <ul><li>`account:read_only` - Allows access to GET information about your Account.</li><li>`account:read_write` - Allows access to all endpoints related to your Account.</li><li>`domains:read_only` - Allows access to GET Domains on your Account.</li><li>`domains:read_write` - Allows access to all Domain endpoints.</li><li>`events:read_only` - Allows access to GET your Events.</li><li>`events:read_write` - Allows access to all endpoints related to your Events.</li><li>`images:read_only` - Allows access to GET your Images.</li><li>`images:read_write` - Allows access to all endpoints related to your Images.</li><li>`ips:read_only` - Allows access to GET your ips.</li><li>`ips:read_write` - Allows access to all endpoints related to your ips.</li><li>`linodes:read_only` - Allows access to GET Linodes on your Account.</li><li>`linodes:read_write` - Allow access to all endpoints related to your Linodes.</li><li>`lke:read_only` - Allows access to GET LKE Clusters on your Account.</li><li>`lke:read_write` - Allows access to all endpoints related to LKE Clusters on your Account.</li><li>`longview:read_only` - Allows access to GET your Longview Clients.</li><li>`longview:read_write` - Allows access to all endpoints related to your Longview Clients.</li><li>`nodebalancers:read_only` - Allows access to GET NodeBalancers on your Account.</li><li>`nodebalancers:read_write` - Allows access to all NodeBalancer endpoints.</li><li>`stackscripts:read_only` - Allows access to GET your StackScripts.</li><li>`stackscripts:read_write` - Allows access to all endpoints related to your StackScripts.</li><li>`volumes:read_only` - Allows access to GET your Volumes.</li><li>`volumes:read_write` - Allows access to all endpoints related to your Volumes.</li></ul><br />|
 
     # Requests
 
