Re: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a
Ethan Jewett <esjewett@gmail.com> Fri, 19 March 2010 20:28 UTC
Return-Path: <esjewett@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44C2F3A6931 for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 13:28:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.034
X-Spam-Level:
X-Spam-Status: No, score=-2.034 tagged_above=-999 required=5 tests=[AWL=-0.565, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y+Y6sbpsIkP4 for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 13:28:29 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 9F2953A68EF for <oauth@ietf.org>; Fri, 19 Mar 2010 13:28:28 -0700 (PDT)
Received: by pvh1 with SMTP id 1so1888073pvh.31 for <oauth@ietf.org>; Fri, 19 Mar 2010 13:28:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=10W15YVhmaz7mH/IhjGo4kxp4RuIWp/QZMi9vVoPLQk=; b=HsENqI+FF8a08cYPqfbUwEXm1fDqQTLDtZ2OELb+3jUxBw9sTkR39y7K9Gl/Sce348 A+4C3pgbXspR/0ZF1SxgUlogvzW1tMqGk6Cf8rE8iy9uMR3nu9TJLVSwefcqVymh6pvY F2P/AralLBLlRtcEgvMTiQuY39l6xuPuahUeU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ed1dK+68y7bOTmmbi1kqYrbYvmcXgrd3i4rmS2PZ5I1Ik4CMJ3gTS048rYEkUJOcup dtDHMcyuWQaC7mGVCrdMoBuVZRV++MD3P4FGH6fQGzUbTRaFGWw3kardRmKu1zrHLQll FT0rhOfddaYZ1I0liGwX/7vpCDJMvhCtMrJfg=
MIME-Version: 1.0
Received: by 10.141.91.2 with SMTP id t2mr3681874rvl.111.1269030518583; Fri, 19 Mar 2010 13:28:38 -0700 (PDT)
In-Reply-To: <daf5b9571003191145v5ee86c9bw324ceb9366f1c6bb@mail.gmail.com>
References: <fd6741651003161112y2eceb494ue28db2644ba1d32a@mail.gmail.com> <68f4a0e81003191052m7ab778d6n330e58bd58b9f924@mail.gmail.com> <daf5b9571003191144j74ea597cgf06ef3ba449cecef@mail.gmail.com> <daf5b9571003191145v5ee86c9bw324ceb9366f1c6bb@mail.gmail.com>
Date: Fri, 19 Mar 2010 16:28:38 -0400
Message-ID: <68f4a0e81003191328r4912ddb0uc37c4bc65f5fb7e4@mail.gmail.com>
From: Ethan Jewett <esjewett@gmail.com>
To: Brian Eaton <beaton@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 20:28:31 -0000
On Fri, Mar 19, 2010 at 2:45 PM, Brian Eaton <beaton@google.com> wrote: > > Ah, the other reason plaintext doesn't work is because one of the > goals is to guarantee the integrity of the identity information passed > in the request - neither the application author nor the viewer of the > application is permitted to tamper with those parameters. I don't think so. In the OpenSocial case, the only "OAuth Consumer" per se is the OpenSocial container. The gadget is not making signed requests and is completely trusting the container to represent it properly to the OAuth Provider. In other words, from an OAuth request flow perspective, the gadget is pretty much irrelevant. Because of this, on my reading OpenSocial gadgets will have a hard time making use of general purpose APIs, because general purpose APIs will ignore the opensocial_viewer_id parameter, which is the key to figuring out what application user is making the request. In other words, the gadget and the OAuth provider must completely trust the OpenSocial container to correctly represent the user making the request. Am I reading it wrong? Ethan
- [OAUTH-WG] Understanding how OpenSocial uses OAut… David Recordon
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Eric Sachs
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Ethan Jewett
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Ethan Jewett
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Ethan Jewett
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Ethan Jewett
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Brian Eaton
- Re: [OAUTH-WG] Understanding how OpenSocial uses … Kevin Marks