implementing a poco service provider: what if i can't infer who @me is?

14 views
Skip to first unread message

Ryan B

unread,
Feb 6, 2012, 1:41:44 PM2/6/12
to portable...@googlegroups.com
hi all! i'm implementing a poco service provider that supports auth,
but it can't use auth credentials alone to determine who the current
logged in user (ie @me in poco) is. the poco spec kind of seems to
require this, or at least doesn't explicitly talk about non-@me paths:

http://portablecontacts.net/draft-spec.html#anchor11

it does allow extra query parameters, so i could require clients to
pass in a user id or username as a query parameter, but i'd like to
stick to the standard as close as possible so clients don't have to
hard-code support for my provider. any thoughts?

--
http://snarfed.org/

Justin Richer

unread,
Feb 6, 2012, 1:49:52 PM2/6/12
to portable...@googlegroups.com, Ryan B
What we've done is standardize on URLs for different users and groups,
such as:

http://profile-server/poco/username/

To get info for a particular user. We've got sub-URLs for different bits
of the heirarchy, such as everybody in a particular user's department:

http://profile-server/poco/username/department/

PoCo doesn't really define what these query structures look like, so we
went with our own ontology. We're using both OAuth2 and OpenID for auth
on this server, we still do have mappings for "@me" in cases where we
can look up the user ID. For directly-connected clients that use
2-legged OAuth2, we don't allow the "@me" queries.

-- Justin

Joseph Smarr

unread,
Feb 6, 2012, 1:53:14 PM2/6/12
to portable...@googlegroups.com, Ryan B
You can always put a real userid in place of the @me in the URL--the @me is just a shorthand when the user is clear from the auth context. But can you say a bit more about why it's not clear in your case who the user it? Might point to a different underlying problem...

--
You received this message because you are subscribed to the Google Groups "PortableContacts" group.
To post to this group, send email to portablecontacts@googlegroups.com.
To unsubscribe from this group, send email to portablecontacts+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/portablecontacts?hl=en.


Ryan B

unread,
Feb 6, 2012, 2:36:00 PM2/6/12
to jsm...@stanfordalumni.org, portablecontacts
thanks for the info, guys!

the context is that i'm implementing unofficial "bridge" poco
providers for big players like facebook and twitter, similar to the
bridge webfinger providers i put up a bit ago:
http://snarfed.org/2012-01-16_webfinger_for_facebook_and_twitter

in the first pass, i'm just making clients oauth with fb and twitter
directly, then give me their retrieved credentials, which i'll pass
through. fb supports "me" requests similar to poco, but at first it
looked like twitter didn't. i've since found the way in twitter,
though: /account/verify_credentials

so, all is well, back to hacking. thanks again. feel free to follow
along if you're bored!

https://github.com/snarfed/portablecontacts-unofficial
https://facebook-portablecontacts.appspot.com/
https://twitter-portablecontacts.appspot.com/

the last two endpoints are visible but not fully functional yet. they
will be soon though!

>> To post to this group, send email to portable...@googlegroups.com.


>> To unsubscribe from this group, send email to

>> portablecontac...@googlegroups.com.

Joseph Smarr

unread,
Feb 6, 2012, 2:47:20 PM2/6/12
to Ryan B, portablecontacts
Sounds great, happy to beta test it when it's ready, just lemme know! ;) js
Reply all
Reply to author
Forward
0 new messages