IETF Logo Mail Archive

Re: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a

Ethan Jewett <esjewett@gmail.com> Fri, 19 March 2010 17:52 UTC

Return-Path: <esjewett@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D47163A679C for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 10:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.105
X-Spam-Level:
X-Spam-Status: No, score=-1.105 tagged_above=-999 required=5 tests=[AWL=-1.494, BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cw2KlFOYDq42 for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 10:52:13 -0700 (PDT)
Received: from mail-px0-f177.google.com (mail-px0-f177.google.com [209.85.216.177]) by core3.amsl.com (Postfix) with ESMTP id F31C93A683D for <oauth@ietf.org>; Fri, 19 Mar 2010 10:52:11 -0700 (PDT)
Received: by pxi7 with SMTP id 7so1083584pxi.5 for <oauth@ietf.org>; Fri, 19 Mar 2010 10:52:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=QFTAgSXeVM8lFAbQUNiaWjPzo4NKMue7NXwZdicKU+Y=; b=hoVpMq3hKv+Yp8vRgVcmyomDVbdgziSt5ll9wRq4HdSYTswKCJbG14QU1QXy3/0FDi To8ubihwZLExTaslvNztiG2eOO5LxLUk3yKqGUdaAdLBrIONDxuqYE87l86ynVAC+K5O u212H6NsQ3nHoeyzOCMT5vOk3IPN+u+EZTWoI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Ugvw84ZFQz9xRnnnYlUG9fz0MBGUBqGlglWlE/RrvytRIYvVuxC0ps3aZNy+bKCAI6 8BCOuvFO+0TmqmP9Vjhuhf1CjqfokliD7+lcNXPKx1ht+9PuC7WVIyLJvNhMlutoFLt5 MBfAgS/JYbO+/RgJVu+tjBTEE9fg+bfhFumTI=
MIME-Version: 1.0
Received: by 10.141.105.16 with SMTP id h16mr2434663rvm.15.1269021142646; Fri, 19 Mar 2010 10:52:22 -0700 (PDT)
In-Reply-To: <fd6741651003161112y2eceb494ue28db2644ba1d32a@mail.gmail.com>
References: <fd6741651003161112y2eceb494ue28db2644ba1d32a@mail.gmail.com>
Date: Fri, 19 Mar 2010 13:52:22 -0400
Message-ID: <68f4a0e81003191052m7ab778d6n330e58bd58b9f924@mail.gmail.com>
From: Ethan Jewett <esjewett@gmail.com>
To: David Recordon <recordond@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 17:52:14 -0000

I think 4.5 should read "iLike gadget can choose to sign request with
MySpace's private key or with a shared secret between iLike &
MySpace."

If I'm reading correctly, if the gadget chooses to use the container's
private key, then that is making use of the RSA signature mechanism.
If the gadget chooses to use the container's shared secret, then that
is the HMAC-SHA1 signature mechanism. It looks to me like the
PLAINTEXT method is not supported at all based on the wiki though I
don't see a technical reason why it should not be supported.

Ethan

On Tue, Mar 16, 2010 at 2:12 PM, David Recordon <recordond@gmail.com> wrote:
> Kevin Marks has been bugging me for awhile to understand how
> OpenSocial makes use of two-legged OAuth.  I reached out to the team
> and here's their description (via Evan Gilbert).  In general it seems
> like they're more making use of OAuth's RSA signature mechanism rather
> than the user authorization and access token flows.
>
> 1. Developer (let's say iLike) creates a gadget that runs in multiple
> containers.
> 2. User Bob is views iLike gadget on MySpace and the iLike gadget
> needs to make a request back to iLike's home server to get private
> data (let's say the user's favorite bands)
> 3. iLike gadget makes a JavaScript call to get this data from iLike
> servers. This call uses a gadgets API (gadgets.io.makeRequest) that
> proxies the request through MySpace servers.
> 4. MySpace adds validated URL parameters to the request - most
> importantly opensocial_viewer_id and opensocial_app_url. MySpace then
> signs the request and then forwards on the request to iLike's servers.
> 4.5 iLike can choose to sign request with MySpace's private key or
> with a shared secret between iLike & MySpace.
> 6. iLike verifies the signed request, using MySpace's public key or
> the shared secret.
> 7. iLike checks verifies opensocial_app_url to make sure this isn't a
> different gadget asking for data.
> 8. Lastly iLike looks up user data based on opensocial_viewer_id and
> returns it back to the gadget.
>
> Intro to signed requests:
> http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests
> Validation of signed requests:
> http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email