Restricting by IP address is definitely a bad way to go. It ties the
functionality of your application to the (each) container's network
topology.
I think we just have to be patient and wait for the OpenSocial
developers to release a mechanism for authentication. They've said
they are working on it repeatedly, and I'm sure it's their top
priority (because they said so).
The OAuth request signing mechanism allows the service provider (your
app's home site) to verify that it's talking to the container and not
an impostor using shared secrets. That way, you don't need to check
for IPs or do anything else hinky.
My only suggestion (that I have not heard explicitly from any O.S.
people) is that they make sure to include verified information about
the gadget owner and viewer. This is not part of OAuth, and it
doesn't sound like the O.S. developers are going to implement OAuth in
its entirety. This is an O.S.-specific feature that containers would
be required to implement.
nate
> On Dec 5, 2007 12:07 PM, Paul Lindner <
plind...@hi5.com> wrote:
>
>
>
> > Please read this:
>
> >
http://opensocialapis.blogspot.com/2007/11/improved-content-fetching-...
> > > On Dec 4, 2007 9:37 PM, nate <
o.nl...@gmail.com> wrote:
>
> > > > This may or may not be obvious, but I would like to make a request
> > > > regarding the data that will get signed into _IG_Fretch_Content()
> > > > requests originating from OpenSocial containers.
>
> > > > I think the primary thing that Service Provider apps will want to
> > > > validate is the viewer/owner relationship. To that end, it would be
> > > > really handy to make every _IG_Fretch_Content() request contain a
> > > > signed:
> > > > * gadget owner ID
> > > > * gadget viewer ID
> > > > * owner/viewer relationship (i.e. "friends" or "public") with
> > > > respect to the container
>
> > > > If this info can be made non-spoofable, Service Providers can reliably
> > > > apply privacy settings, not to mention allow the gadget owner to set
> > > > privacy settings from within the container.
>
> > > > Thanks for your consideration, and all your hard work.
>
> > > > - nate
>
> > --
> > Paul Lindner
> > hi5 Architect
> >
plind...@hi5.com
>
> --
> Luciano