Here are a few reasons:
- It's hard to remember the difference between "SIGNED" and
"AUTHENTICATED". If "AUTHENTICATED" somehow authenticates my fetches,
then what does "SIGNED" do? Signing is a common way to authenticate
messages. Very confusing.
- Assuming that the gadgets.io.AuthorizationType enumeration lists
(despite its name) different ways to authenticate [1], then having
"AUTHENTICATED" as an authentication type doesn't make any sense.
- If in version 2.0 of opensocial we want to support a cool newfangled
authentication scheme NEWAUTH, then it would be kind of lame to to be
stuck with an enum of (NONE, SIGNED, AUTHENTICATED, NEWAUTH).
What say you?
Dirk.
[1] If it was really about authorization I would expect its values to
be something like ACL, CAPABILITY, ATTRIBUTE_CERT, etc.
+1
I think this change should be made unless someone has specific
objections. There are no existing deployments of full OAuth support
that are dependent on the old value. The rest of the OAuth portion of
the spec is changing because it was too vague to implement, so it
makes sense to make this change at the same time. Now that we have a
better idea of how OAuth for opensocial will actually work, we should
get the spec in sync with reality.
Cheers,
Brian
>> Now that we have a better idea of how OAuth for opensocial will
actually work
Is this documented/discussed some place? If so, can you please point me
to it?
Thanks
Chak
We've discussed bits and pieces on the shindig-dev mailing list. For
a summary of the protocol, check out http://oauth.net and read the
appendix to the OAuth specification.
The trick with OAuth for gadgets is that gadgets can't keep secrets
very well, they need help from the server. The server needs to run
the OAuth protocol on behalf of the gadget.
If you want to see a demo, here are some instructions:
1) Download the OAuth java code:
svn co http://oauth.googlecode.com/svn/code/java oauth
2) Build the OAuth java code
cd oauth
mvn install
3) Start the OAuth example service provider
cd example/oauth-provider
mvn jetty:run-war
4) In another window, download the Shindig code:
svn co http://svn.apache.org/repos/asf/incubator/shindig/trunk shindig
5) Build Shindig and start up the sample container:
cd shindig/java/gadgets
mvn jetty:run-war
6) Open up a browser and visit
http://localhost:8080/gadgets/files/samplecontainer/samplecontainer.html
7) Change the "Displaying gadget" field to
http://localhost:8080/gadgets/files/samplecontainer/examples/oauth.xml
8) Click "reset all". You may need to do this twice due a bug in the
sample container.
9) Click the "Personalize this gadget" link. A popup will take you to
the OAuth provider sample page.
10) Enter a user id (any value is fine)
11) Go ahead and close the window, then click the "I've approved
access" window in the sample container page.
12) Shindig will show you the user id you specified to the sample provider.
Chak
I'm not 100% sure I follow. As far as I can tell, there is absolutely
no way to implement OAuth without changes to gadgets.io.
Right. But this isn't a change that breaks backwards compatibility,
since nobody had implemented this part of the spec - so nobody was
using it.
So I can see a couple of ways going forward:
(1) we get it right in the 0.8 version of the spec
(2) we retroactively change the 0.7 spec
I'm voting for (2), for the following reason: nobody has used this
functionality yet. If we go for (1), we have to support two versions
of the API; if we go with (2), we only have to support one.
Dirk.
--
~Kevin
1. Do nothing, we are all just so deliriously happy.
2. Retroactively change the 0.7 spec so that AUTHENTICATED -> OAUTH
3. Change the spec in 0.8 so that AUTHENTICATED -> OAUTH (and decide
whether or not this means we need to keep an alias around)
Opinions thus far:
2. Dirk Balfanz, Kevin Brown
2 or 3. Brian Eaton and Louis Ryan
Alright, please chime in so that we can make a decision on this one.
(Especially if we go the retroactive route)
Thanks!
- Cassie