Thanks for both answers!
Vinod: Can using certificates be replaced by SSL connection (isn't
OAuth WRAP about it?) or is it something different?
I would like to use this 'anonymous-consumer' approach in distributed
application so any of these app instances can use others services
without pre-registration.
But at the same time I need to 'auto' register the consumers the way
they are unique (URL?) so I can identify them on provider side - that
an user can revoke access token later if needed.
Do I actually need to create consumer key/secret for each request or
the token only?
What do you think?
Regards,
Matus
On Feb 22, 2:50 am, Allen Tom a...@yahoo-inc.com wrote:
Perhaps a Googler can jump in on this Google allows Oauth apps to use
³anonymous² as their consumer key, with ³anonymous² as their consumer
secret. These apps do not need to pre-register for a consumer key.
See bullet point #2 in Google¹s Oauth docs regarding the ³anonymous²
consumer
key:http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth
This also means that the oauth_callback URL is not bound to any particular
domain and can be anything.
I personally think that this is a great way to lower the barrier for
developers to start using Oauth protected APIs. However, Yahoo and many
other Service Provders are not able to allow for the anonymous consumer key
due to legal requirements (we require our developers to agree to a legal
terms of use), as well as business requirements (we want contact info for
our developers).
As far as the original poster¹s question asking how Service Providers can
implement this I think the anonymous consumer key implementation is pretty
straightforward. I suppose the UI for the approval screen as well as the
token management/revocation screens could be strange (what does the SP call
the app on these screens?). It could also be tricky to implement a kill
switch if the SP wants to pull the plug on a rogue app using the anonymous
consumer key.
Allen
On 2/20/10 11:33 PM, Vinod facebook vinod.faceb...@gmail.com wrote:
Hi zemi,
This can be done using asymmetric key cryptography. For example if
abc.com http://abc.com is a service provider and if they wanna add a
gadget
to google.com http://google.com (consumer) to offer their services to
their
clients using google.com http://google.com . Google signs all requests to
service provider using a private key and the service provider uses a public
certificate provided by google to verify all the requests originating from
google to be authentic and legitimate. This signing and validation of
request
messages happens at both the ends(consumer and service provider). With
this, a
prior registration is not required on the service provider side.
A list of open social public certificates are provided in the following
link:
https://opensocialresources.appspot.com/certificates
The following link provides you an insight into implementing signed fetch
using asymmetric key cryptography. The same can be used with 3-legged oauth.
http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests
Note: There is no such 'anonymous consumer key' as per my understanding. If
you view the list of public certificates, along with the public certificate
a
corresponding oauth_consumer_key is provided and is a fixed value.
With Regards,
R.Vinod Kumar
On Fri, Feb 19, 2010 at 5:49 AM, zemi matusz...@gmail.com wrote:
Hi everybody,
I need a consumer to request (3-legged) 'request' tokens without
previous registration on provider side.
I've noticed Google and Plaxo support this with 'anonymous' consumer
key? How exactly is this then handled on provider side? Do they create
token only or consumer key also?
Thanks for help folks!
Regards,
zemi
--
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to
oauth+unsubscr...@googlegroups.com
mailto:oauth%2bunsubscr...@googlegroups.com .
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
--
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
