proposal: updates for SIGNED requests
Brian Eaton
- clarifications
- documentation of existing security considerations (e.g. removing
oauth* and opensocial* parameters)
- permit multiple instances of the same application to be
distinguished (this is optional, of course!)
- changes to help automate distribution of public keys.
/**
* Fetches content from the provided URL and feeds that content into the
* callback function.
...
* If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is set
to gadgets.io.AuthorizationType.SIGNED:
* This indicates that the container needs to vouch for the user's
identity to the destination server.
* The container will
* - remove any request parameters with names that begin with
oauth, xoauth, or opensocial (ignoring whether the parameter names are
upper or lower case.
* - add the following parameters to the request query string
* opensocial_viewer_id: (required) The id of the current
viewer, which will match the
* getId() value on the viewer person object.
* opensocial_owner_id: (required) The id of the current
owner, which will match the
* getId() value on the owner person object.
* opensocial_app_url: (required) The URL of the application
making the request. Containers may alias multiple application URLs to
a single canonical application URL in the case where an application
changes URLs.
* opensocial_instance_id: (optional) An opaque identifier
used to distinguish between multiple instances of the same application
in a single container. If a container does not allow multiple
instances of the same application to coexist, this parameter may be
omitted. The combination of opensocial_app_url and
opensocial_instance_id will always uniquely identify an instance of an
application in a container.
* opensocial_app_id: (optional) An opaque identifier for the
application, unique to a particular container. This parameter is
optional. Containers that wish to maintain backwards compatibility
with the opensocial-0.7 specification may include this parameter.
* xoauth_public_key: (optional) An opaque identifier for the
public key used to sign the request. This parameter may be omitted by
containers that do not use public keys to sign requests, or if the
container arranges other means of key distribution with the target of
the request.
* - sign the resulting request according to section 9 of the OAuth
specification (http://oauth.net/core/1.0/#signing_process)
*
* Key management for gadgets.io.AuthorizationType.SIGNED:
*
* If a container uses public keys to sign request, the container may
choose to use either
* self-signed certificates or certificates signed by a well-known
certificate authority.
* If a container does not distribute their oauth signing key over
https, they should use a certificate signed by a well-known
certificate authority.
*
* The commonName attribute of the certificate should match the
hostname of the container server, and should also match the value of
the oauth_consumer_key parameter specified in the request.
*
* The container should make their public key available for download
at a well-known location. The location
* https://<container-hostname>/opensocial/certificates/<xoauth_public_key
value> is recommended.
*
* Recipients of signed requests must verify that the signature on
the request is correct, and that the timestamp on the request is
within a reasonable time window. A time window of +-5 minutes from
the current time is recommended.
*
* Recipients of signed requests may use the oauth_consumer_key and
xoauth_public_key parameters to automatically detect when a container
deploys new certificates. If the container deploys certificates at a
well-known location, the recipient may automatically download the new
certificate. Recipients who automatically download new certificates
should cache the resulting certificates.
*
* If a container's certificate is not downloaded from
https://<container-hostname>, the recipient should verify that the
certificat is signed by a well-known certificate authority before
trusting the certificate.
...
Cassie
http://groups.google.com/group/opensocial-and-gadgets-spec/browse_frm/thread/b07ab79dbcea1afd
Which was already approved.
This also seems like it ends some discussion on this thread:
http://groups.google.com/group/opensocial-and-gadgets-spec/browse_thread/thread/a6a981c96685043e
Because it is allowing the ability to pass both url and an app id to the third party server. Thus delaying the need for resolution on what app id actually means to all containers. (Very nicely done :)
Thanks.
- Cassie
Louis Ryan
-Louis
Arne Roomann-Kurrik (Google)
of some of the ambiguities around signed requests. I like including
the suggested practices around key fetching and request lifespan as
well.
On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote:
> One note. opensocial_viewer_id should be optional not required as containers
> can choose to hide the viewers identity from the gadget.
>
> -Louis
>
> > To be clear, this is simply more detail added to this proposal:
>
> > Which was already approved.
>
> > This also seems like it ends some discussion on this thread:
>
Cassie
- Cassie
Brian Eaton
Lane LiaBraaten
Graham Spencer
--g
mnew...@myspace.com
On Apr 25, 9:51 am, Graham Spencer <g...@google.com> wrote:
> +1, in particular because opensocial_app_url is not optional...
>
> --g
>
>
> > +1
>
> > On Fri, Apr 25, 2008 at 9:37 AM, Brian Eaton <bea...@google.com> wrote:
>
> >> [+balfanz, because he thinks this is a good idea]
>
