Here is one of the original writeups of OpenSocial + 2LO with a scanned napkin drawing :-)
http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi On Tue, Mar 16, 2010 at 11:12 AM, David Recordon <record...@gmail.com>wrote: > Kevin Marks has been bugging me for awhile to understand how > OpenSocial makes use of two-legged OAuth. I reached out to the team > and here's their description (via Evan Gilbert). In general it seems > like they're more making use of OAuth's RSA signature mechanism rather > than the user authorization and access token flows. > > 1. Developer (let's say iLike) creates a gadget that runs in multiple > containers. > 2. User Bob is views iLike gadget on MySpace and the iLike gadget > needs to make a request back to iLike's home server to get private > data (let's say the user's favorite bands) > 3. iLike gadget makes a JavaScript call to get this data from iLike > servers. This call uses a gadgets API (gadgets.io.makeRequest) that > proxies the request through MySpace servers. > 4. MySpace adds validated URL parameters to the request - most > importantly opensocial_viewer_id and opensocial_app_url. MySpace then > signs the request and then forwards on the request to iLike's servers. > 4.5 iLike can choose to sign request with MySpace's private key or > with a shared secret between iLike & MySpace. > 6. iLike verifies the signed request, using MySpace's public key or > the shared secret. > 7. iLike checks verifies opensocial_app_url to make sure this isn't a > different gadget asking for data. > 8. Lastly iLike looks up user data based on opensocial_viewer_id and > returns it back to the gadget. > > Intro to signed requests: > http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests > Validation of signed requests: > http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
