Yeah, I agree.
> Since you want to react to a 401 response automatically, it's slightly
> difficult. Perhaps using the realm parameter to match things up would work
> (the resource above would return a realm on a 401 that should be the same
> realm as /photo?id=3434343 and /photo?id=9938383).
I don't think we can do this without making lots of assumptions about
DNS domains and realms being more or less equivalent. I'd rather see
the gadget author tell us which OAuth service provider they're talking
to.
In the patch I sent to shindig-dev this was done with a
'providerNickname' parameter to gadgets.io.makeRequest. The idea is
that the gadget spec maps nicknames to OAuth URLs for each provider,
and then the gadget calls makeRequest() to specify which providers go
with which resources.
Cheers,
Brian
Yeah, I agree.
On Fri, Feb 15, 2008 at 9:40 AM, John Panzer <jpa...@google.com> wrote:
> ...you don't want to have to hard-code the protected resource URL in the
> gadget spec; the URL often will vary, especially for RESTful services.
In the patch I sent to shindig-dev this was done with a
'providerNickname' parameter to gadgets.io.makeRequest. The idea is
that the gadget spec maps nicknames to OAuth URLs for each provider,
and then the gadget calls makeRequest() to specify which providers go
with which resources.
This sounds like the way to go. We are already in the business of
parsing query parameters for signed fetch, doing it for OAuth seems
reasonable.
> We do not want the OAuth URLs to be predefined. We want the gadget spec to
> specify the OAuth URLs and for the container to cache them along with the
> gadget XML. Taking the use of the providerNickname to the proposal I made
> earlier, then how about:
<snip proposal for OAuthProvider and OAuthPref elements.>
This looks good to me. I'll let others comment on the exact XML syntax to use.
I'm not sure I see why the gadget XML should specify the mechanism to
use for persisting the OAuth tokens. That seems like it should be up
to the container to implement. (And I hope containers don't send
those tokens in the browser.)
Do you have any thoughts on whether the OAuth token used for these
kinds of requests should be the owner or the viewer token? Should we
restrict OAuth access to cases where owner and viewer are the same?
Do we need some kind of scheme to let the gadget spec make that
decision?
Should we provide an API for gadgets to use to figure out what access
tokens are available to them? Consider this use case: a photo
provider wants to provide an API for a gadget to embed a photo from
their site, but the gadget doesn't know the name or URL of the photo
in advance. Instead the user should be directed to the photo site to
pick the photo. The flow might look something like this:
- user clicks 'add a photo' link in the gadget
- container gets oauth request token from service provider
- gadget opens window to service provider authorization URL
- user picks photo from service provider
- container exchanges request token for access token
- whenever gadget uses that particular access token they get that same photo
In order to make that scenario work I think we'd need a system for a
gadget to have multiple access tokens for the same service provider.
Cheers,
Brian
What is the best way to move forward on this update to the gadget spec?
Maybe we should call this a draft proposal, experiment with support in
Shindig, and then update the gadget spec based on how that goes?
Cheers,
Brian
<Require feature="oauth">
<Param name="service_name">
demo
</Param>
<Param name="access_url">
http://localhost:9090/oauth-provider/access_token
</Param>
<Param name="access_method">
GET
</Param>
<Param name="request_url">
http://localhost:9090/oauth-provider/request_token
</Param>
<Param name="request_method">
GET
</Param>
<Param name="authorize_url">
http://localhost:9090/oauth-provider/authorize
</Param>
</Require>
Open issues with that format:
1) It requires gadget developers to specify the OAuth URLs. That's
probably unavoidable until OAuth discovery gets some momentum.
2) It only supports a single service provider per gadget.
Cheers,
Brian
Okay, is this something we want to get in the next iteration(0.8) of the spec?
If so, which design did we want to choose?
1. Many new ResourcePrefs or OauthPrefs plus a new require.
2. A new oauth feature which has one external configuration file.
Thanks.
- Cassie