Suggestion for OAuth-signed "phone home" requests

0 views
Skip to first unread message

nate

unread,
Dec 4, 2007, 7:37:46 PM12/4/07
to OpenSocial - OpenSocial API Definition
This may or may not be obvious, but I would like to make a request
regarding the data that will get signed into _IG_Fretch_Content()
requests originating from OpenSocial containers.

I think the primary thing that Service Provider apps will want to
validate is the viewer/owner relationship. To that end, it would be
really handy to make every _IG_Fretch_Content() request contain a
signed:
* gadget owner ID
* gadget viewer ID
* owner/viewer relationship (i.e. "friends" or "public") with
respect to the container

If this info can be made non-spoofable, Service Providers can reliably
apply privacy settings, not to mention allow the gadget owner to set
privacy settings from within the container.

Thanks for your consideration, and all your hard work.

- nate

aak...@live.com

unread,
Dec 5, 2007, 6:00:15 AM12/5/07
to opensoc...@googlegroups.com
same problem here, how do we make sure that the person viewing is an authenticated owner or has just swapped values in JS..
Its really important for developers to set permissions regarding usage of gadget..
Also it would be helpfull if we can get some information from the cookie like login status, user id etc..

Thanks
 
~@@k@sh
http://aakash-bapna.blogspot.com





> Date: Tue, 4 Dec 2007 16:37:46 -0800
> Subject: [OpenSocial] Suggestion for OAuth-signed "phone home" requests
> From: o.n...@gmail.com
> To: opensoc...@googlegroups.com

Luciano Ricardi

unread,
Dec 5, 2007, 9:01:47 AM12/5/07
to opensoc...@googlegroups.com
I really think that some few changes on the working method of _IG_FetchContent() could bring some great security gains on OpenSocial until the OAuth be implemented.

Let's take the Orkut Sandbox for an example:

1 - We received the calls from Sandbox Proxies just from 3 proxies...
66.249.84.15
72.14.195.49
74.125.16.6

Well, so we can implement security procedures on our codes that prevent to deliver content to anauthorised IPs. This is a good enhancement in security, but we need some way to get this IP's List. We got this IP's from the access logs of the web server...

2 - The request that comes from the proxies is like this:

"GET /gadgets/view_content.php?id_orkut=02772430860366983940&.cache=3239336552 HTTP/1.1"

The id_orkut is the parameter that we put on our gadget code. The ".cache" is appended by the proxy server. Well, why not to append the real id of the gadget viewer? This could grant that the caller of _IG_FetchContent is the viewer of the gadget.

So.... this is what I suggest for enhance the security of OpenSocial until OAuth be implemented:

1 - Some method to bring the IPs from the Proxy of the OpenSocial containers.
2 - Append the Id of the Viewer (or other informations) in the GET parameters"

[]s

Luciano R.

On Dec 4, 2007 9:37 PM, nate <o.n...@gmail.com> wrote:

This may or may not be obvious, but I would like to make a request
regarding the data that will get signed into _IG_Fretch_Content()
requests originating from OpenSocial containers.

I think the primary thing that Service Provider apps will want to
validate is the viewer/owner relationship.  To that end, it would be
really handy to make every _IG_Fretch_Content() request contain a
signed:
 * gadget owner ID
 * gadget viewer ID
 * owner/viewer relationship ( i.e. "friends" or "public") with

Paul Lindner

unread,
Dec 5, 2007, 10:07:38 AM12/5/07
to opensoc...@googlegroups.com
Please read this:

http://opensocialapis.blogspot.com/2007/11/improved-content-fetching-for.html

> > * owner/viewer relationship (i.e. "friends" or "public") with


> > respect to the container
> >
> > If this info can be made non-spoofable, Service Providers can reliably
> > apply privacy settings, not to mention allow the gadget owner to set
> > privacy settings from within the container.
> >
> > Thanks for your consideration, and all your hard work.
> >
> > - nate
> >
> > >
> >
>
>

--
Paul Lindner
hi5 Architect
plin...@hi5.com

Luciano Ricardi

unread,
Dec 5, 2007, 11:06:31 AM12/5/07
to opensoc...@googlegroups.com
(...)"until the OAuth be implemented"(...)

What I've said is that some implementations, more simple, could be made until OAuth be implemented.... We don't know when the OAuth will be part of the OpenSocial... there is no information about date releases here:

http://groups.google.com/group/opensocial/web/whats-up-with-opensocial
--
Luciano

nate

unread,
Dec 6, 2007, 2:31:05 PM12/6/07
to OpenSocial - OpenSocial API Definition
Restricting by IP address is definitely a bad way to go. It ties the
functionality of your application to the (each) container's network
topology.

I think we just have to be patient and wait for the OpenSocial
developers to release a mechanism for authentication. They've said
they are working on it repeatedly, and I'm sure it's their top
priority (because they said so).

The OAuth request signing mechanism allows the service provider (your
app's home site) to verify that it's talking to the container and not
an impostor using shared secrets. That way, you don't need to check
for IPs or do anything else hinky.

My only suggestion (that I have not heard explicitly from any O.S.
people) is that they make sure to include verified information about
the gadget owner and viewer. This is not part of OAuth, and it
doesn't sound like the O.S. developers are going to implement OAuth in
its entirety. This is an O.S.-specific feature that containers would
be required to implement.

nate


On Dec 5, 8:06 am, "Luciano Ricardi" <rica...@gmail.com> wrote:
> (...)"until the OAuth be implemented"(...)
>
> What I've said is that some implementations, more simple, could be made
> until OAuth be implemented.... We don't know when the OAuth will be part of
> the OpenSocial... there is no information about date releases here:
>
> http://groups.google.com/group/opensocial/web/whats-up-with-opensocial
>
> On Dec 5, 2007 12:07 PM, Paul Lindner <plind...@hi5.com> wrote:
>
>
>
> > Please read this:
>
> >http://opensocialapis.blogspot.com/2007/11/improved-content-fetching-...
> > > On Dec 4, 2007 9:37 PM, nate <o.nl...@gmail.com> wrote:
>
> > > > This may or may not be obvious, but I would like to make a request
> > > > regarding the data that will get signed into _IG_Fretch_Content()
> > > > requests originating from OpenSocial containers.
>
> > > > I think the primary thing that Service Provider apps will want to
> > > > validate is the viewer/owner relationship. To that end, it would be
> > > > really handy to make every _IG_Fretch_Content() request contain a
> > > > signed:
> > > > * gadget owner ID
> > > > * gadget viewer ID
> > > > * owner/viewer relationship (i.e. "friends" or "public") with
> > > > respect to the container
>
> > > > If this info can be made non-spoofable, Service Providers can reliably
> > > > apply privacy settings, not to mention allow the gadget owner to set
> > > > privacy settings from within the container.
>
> > > > Thanks for your consideration, and all your hard work.
>
> > > > - nate
>
> > --
> > Paul Lindner
> > hi5 Architect
> > plind...@hi5.com
>
> --
> Luciano

Arne Roomann-Kurrik (Google)

unread,
Dec 7, 2007, 12:58:07 PM12/7/07
to OpenSocial - OpenSocial API Definition
Hi Nate,

Yeah, part of the proposal is to include container-verified Viewer/
Owner and Application IDs in the phone home calls.

~Arne

nate

unread,
Dec 7, 2007, 1:11:40 PM12/7/07
to OpenSocial - OpenSocial API Definition
Thanks Arne! That makes me happy.

nate



On Dec 7, 9:58 am, "Arne Roomann-Kurrik (Google)"
Reply all
Reply to author
Forward
0 new messages