There are two requirements that I'd like explained and possibly changed.
1 "MUST be an OAuth 1.0 Service Provider"
2 Containers MUST also support the Consumer Request OAuth extension,
aka the "two legged" scenario
(http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/1/spec.html)
In both of these cases you say "Containers MUST" but is this the spec
for the API server or the container as a whole? Would it be possible
to make the API server not be an Full OAuth SP and simply have it
defer to another one. Or, only support Consumer Request OAuth and not
the full SP implementation that assumes an interactive user?
Is it possible to have #2 required for 0.8 and #1 in 0.9? A brief chat
with Brian Eaton today led us to think that #2 is relatively easy,
whereas #1 involves much more work, has more direct impact on
usability at the SN, and doesn't have a clear use case at this moment.
Maybe someone could present the case where interactive 3-legged OAuth
would be happening more often than the other two forms of auth: Gadget
Token and 2-legged OAuth.
thanks.
davep
In general, the current restriction that groups be person (owner)
dependent may work well for groups as named person
collections/relationships between users, but severely limits future
expansion of a group role within OpenSocial. In my case, groups are a
distinct top-level entity and need a unique identifier themselves. A
group may have one person "owner" (organizer) at one point in time,
but that owner/organizer can change over time, which should not
necessitate a new ID.
I believe that with some minor changes, the current use case of groups
as user-dependent named collections can be accommodated, while still
allowing room for a future expansion of group data and functionality.
To that end I would propose revising these group sections:
2.2 A Group Example
Groups are collections of people with extended attributes. The
RESTful API supports querying for the available groups for a given
user. The groups are returned as a collection; each group has a
display name, a container-globally-unique group identifier (which MAY
be implemented relative to a container-globally-unique person
identifier for groups owned by that user) , and a URL link.
application/json representation of a group:
{
"id" : "example.org:34KJDCSKJN2HHF0DW20394:friends",
"title" : "Peeps",
"link" : {rel : "alternate", "href" :
"http://api.example.org/people/example.org:34KJDCSKJN2HHF0DW20394/@friends"
}
}
...
7.2 Groups (http://ns.opensocial.org/groups/0.8)
ggid : Container-globally-unique group identifier; MAY be defined
relative to a container-globally-unique user identifier for user owned
groups.
Groups URI examples:
/groups/{ggid} -- Group data for this group identifier
A collection of groups associated with a user could still be retrieved
through a request on the Groups URI with query parameters:
GET /groups/?uid={guid}
I realize, however, that this has further impact into both the /person
and /activities sections of the API as well, and presents a general
impedance mismatch with the {guid}/{groupid} path convention used in
both of these. But I wanted to get some feedback before proceeding
further.
So what's the consensus? Is broadening the group representation like
this useful or out of scope for the current RESTful API?
Gary H.
section 5. Request Authentication and Authorization Context
There are two requirements that I'd like explained and possibly changed.
1 "MUST be an OAuth 1.0 Service Provider"
2 Containers MUST also support the Consumer Request OAuth extension,
aka the "two legged" scenario
(http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/1/spec.html)
In both of these cases you say "Containers MUST" but is this the spec
for the API server or the container as a whole?
Would it be possible
to make the API server not be an Full OAuth SP and simply have it
defer to another one. Or, only support Consumer Request OAuth and not
the full SP implementation that assumes an interactive user?
Is it possible to have #2 required for 0.8 and #1 in 0.9? A brief chat
with Brian Eaton today led us to think that #2 is relatively easy,
whereas #1 involves much more work, has more direct impact on
usability at the SN, and doesn't have a clear use case at this moment.
Maybe someone could present the case where interactive 3-legged OAuth
would be happening more often than the other two forms of auth: Gadget
Token and 2-legged OAuth.
It's not trivial to implement an OAuth service provider. The crypto
is easy, the hard parts are:
- registering consumers
- deciding on appropriate access levels and resources for OAuth APIs
- identifying and reacting to abuse
Those aren't problems that can be solved by libraries. The second
item, spec'ing out what access rights an OAuth consumer should have,
seems to be something that will have to be standardized in order to be
useful.
(For the consumer request flow, it seems reasonable to state that the
server-to-server API provides the same functionality and access levels
that the gadget-to-server flow provides, because the gadget and the
server are just two sides of the same coin. Adding a third party to
the mix doesn't fit into the analogy: what access rights should the
third-party be able to request, and what is out of bounds?)
> The use case I'm thinking of here is an independent developer who wants add
> value to a user's social network data and doesn't want to ask users for
> their passwords. For example, a book club web site that adds "Now
> reading..." activities to your activity stream.
Good use case. A bunch of bullet points along these lines would be
very useful in guiding development.
I think the spec should allow for non-authenticated access of data.
Probably read only and probably because that data is already public
html. In which case the requirement to support oAuth would become moot.
--
Julian Bond E&MSN: julian_bond at voidstar.com M: +44 (0)77 5907 2173
Webmaster: http://www.ecademy.com/ T: +44 (0)192 0412 433
Personal WebLog: http://www.voidstar.com/ skype:julian.bond?chat
Get _Sirius_ in 2008
I'd like to point out two issues:1. Which operation is allowed for each URI patternThe current spec provides URI examples, but I think each possible URI pattern should be defined and have a set of allowed operations. For instance,CR /activities/{guid}/@selfR /activities/{guid}/@friendsRUD /activities/{guid}/@self/{aid}where CRUD means POST GET PUT DELETE.
2. Application IDappid is introduced in section 7.4, but OpenSocial 0.7 defines that appdata is user-scope, so there's no such concept. Is app-scope of appdata introduced as well in OpenSocial 0.8?
It's not trivial to implement an OAuth service provider. The crypto
On Wed, May 7, 2008 at 2:13 PM, John Panzer <jpa...@google.com> wrote:
> Hmm, #1 is just standard OAuth, and there's a lot of libraries already out
> there to support it. The UI is pretty trivial. The user experience is not
> as good, but better than nothing, which is what the long tail of
> applications get if you have to wait for lawyers to negotiate federation
> agreements for every integration...
is easy, the hard parts are:
- registering consumers
- deciding on appropriate access levels and resources for OAuth APIs
- identifying and reacting to abuse
Those aren't problems that can be solved by libraries. The second
item, spec'ing out what access rights an OAuth consumer should have,
seems to be something that will have to be standardized in order to be
useful.
(For the consumer request flow, it seems reasonable to state that the
server-to-server API provides the same functionality and access levels
that the gadget-to-server flow provides, because the gadget and the
server are just two sides of the same coin.
Adding a third party to
the mix doesn't fit into the analogy: what access rights should the
third-party be able to request, and what is out of bounds?)