I agree that it's less than ideal to embed a secret in the gadget XML
file. That's why the proposal includes a mechanism for encrypting the
secret key. Currently each app is assigned a single set of OAuth
credentials out of band from the gadget XML upload. This works fine
when the gadget is only communicating with the container-provided APIs
or custom APIs under the control of the gadget developer such that
they can specify OAuth credentials expected by the endpoint.
What is missing is a mechanism to define multiple OAuth (or other)
credentials. For instance, a mashup app wants to execute on Myspace
and talk to the social APIs, but also check in to Foursquare.
Foursquare uses OAuth, but has supplied different credentials from
those assigned to the gadget. Right now the only way to do this would
be for the app to have a private API that wraps the target Foursquare
API and makes the call using the correct credentials. This proposal
would allow the gadget to make the call to the target API on
Foursquare directly without the need to bounce it off a different API
to translate the OAuth credentials. I see a need to define a little
more how the client gadgets.io.makeRequest could also use the
credentials.
This would also seek to provide a mechanism to safely embed other
styles of API security credentials in the gadget XML so that a wider
variety of APIs can be called.
On Feb 20, 11:07 pm, Bastian Hofmann <
bashofm...@googlemail.com>
wrote:
> Som things I don't understand yet about this proposal:
>
> - How would you ensure that a shared secret is not compromised? it seems to
> be very public for me, if you are putting it into the gadget xml.
> - How is this different from the current oauth authorization type?
> - You are talking about OAuth2 and other authorization mechanisms. Wouldn't
> it make more sense to just add these authorization types to makeRequest or
> osapi:http, methods that gadget developers already use and know, instead of
> defining new tags and methods?
>
> -- Bastian
>
> 2011/2/19 rbaxter85 <
rbaxte...@gmail.com>