[OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a
David Recordon <recordond@gmail.com> Tue, 16 March 2010 18:15 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8B813A67A8 for <oauth@core3.amsl.com>; Tue, 16 Mar 2010 11:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdthRrlldrFD for <oauth@core3.amsl.com>; Tue, 16 Mar 2010 11:15:12 -0700 (PDT)
Received: from mail-px0-f187.google.com (mail-px0-f187.google.com [209.85.216.187]) by core3.amsl.com (Postfix) with ESMTP id 1B1BB3A698F for <oauth@ietf.org>; Tue, 16 Mar 2010 11:15:04 -0700 (PDT)
Received: by pxi17 with SMTP id 17so160840pxi.5 for <oauth@ietf.org>; Tue, 16 Mar 2010 11:15:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=YVzxggbHaw1XEeIiNd/yBpQvDkTLyDJtBnBaXstx5g0=; b=oL3hOjuPczsKKenrUBJlcgpnmkWcx+qepio5vu+S+RC0A+y48aY1pAQdQFbg19vyIK H0pzrYllVSyov1IHyZEpyMEOqd04PUNfqjQHhkpe0FBWbxN7aHKbB3jky9AVT3GGXtec DeOxjKu6JYDggKnqf1q2xjtppoyD1e0EeUCuo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=ac/+x5SlNL1v0gU07q5hiHvARwakniurvBDrTUJo+vTwxrBwiuGxwzp7I4FwdjcLki 7cU3yQAnvkR//pRZS6SGhnTiuVP2vvakgS+y8jDZC+Rwu8oSXHmBvWi1OUGr27ojKoU/ 4MO17TTFyd7lCz/0e0x5EMXNxamYrvufdR8y8=
MIME-Version: 1.0
Received: by 10.141.4.9 with SMTP id g9mr4681rvi.31.1268763158670; Tue, 16 Mar 2010 11:12:38 -0700 (PDT)
Date: Tue, 16 Mar 2010 11:12:38 -0700
Message-ID: <fd6741651003161112y2eceb494ue28db2644ba1d32a@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 18:15:13 -0000
Kevin Marks has been bugging me for awhile to understand how OpenSocial makes use of two-legged OAuth. I reached out to the team and here's their description (via Evan Gilbert). In general it seems like they're more making use of OAuth's RSA signature mechanism rather than the user authorization and access token flows. 1. Developer (let's say iLike) creates a gadget that runs in multiple containers. 2. User Bob is views iLike gadget on MySpace and the iLike gadget needs to make a request back to iLike's home server to get private data (let's say the user's favorite bands) 3. iLike gadget makes a JavaScript call to get this data from iLike servers. This call uses a gadgets API (gadgets.io.makeRequest) that proxies the request through MySpace servers. 4. MySpace adds validated URL parameters to the request - most importantly opensocial_viewer_id and opensocial_app_url. MySpace then signs the request and then forwards on the request to iLike's servers. 4.5 iLike can choose to sign request with MySpace's private key or with a shared secret between iLike & MySpace. 6. iLike verifies the signed request, using MySpace's public key or the shared secret. 7. iLike checks verifies opensocial_app_url to make sure this isn't a different gadget asking for data. 8. Lastly iLike looks up user data based on opensocial_viewer_id and returns it back to the gadget. Intro to signed requests: http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests Validation of signed requests: http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests
- [OAUTH-WG] Understanding how OpenSocial uses OAut… David Recordon
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Eric Sachs
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Ethan Jewett
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Ethan Jewett
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Ethan Jewett
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Ethan Jewett
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Kevin Marks