Generally sounds fine to me. A few thoughts: 1. Is it expected that WRAP will simply be a subset of OAuth2 or will we require a separate OAuth2 code path?
2. The messaging I've generally heard is that OAuth2 will pretty much completely replace WRAP. In practice I doubt that will be the case in full, which could mean we're stuck supporting barely-used code. Thoughts on this? 3. Can you give a sense (anecdotal is fine) of how widely used WRAP is these days, ie. the value of supporting it for the code base? 4. How much new code do you expect in OAuthRequest, roughly? It seems that class is already getting quite large... --j On Thu, Aug 12, 2010 at 12:08 AM, Brian Eaton <[email protected]> wrote: > Hey folks - > > I'm thinking about adding support for the OAuth WRAP protocol to Shindig. > OAuth WRAP was an early predecessor to OAuth 2. OAuth 2 is still a moving > target, but OAuth WRAP is final, and there are implementations in the wild. > > The relevant shindig code is all in OAuthRequest.java. This is entirely > about outbound requests from Shindig, not inbound requests. > > OAuth WRAP is fairly similar to the Scalable OAuth Extension, which is > already implemented in Shindig. > > I'd only implement the web app profile of OAuth WRAP; that's the only > interesting one for gadgets. > > I'd expect the OAuth WRAP code to move readily to OAuth 2 once OAuth 2 is > finalized. The web app profile has seen lots of parameter name changes, > but > the basic protocol steps have been constant for a few months now. > > The major functional gap between OAuth WRAP and OAuth2 is cryptographic > signing; there are many key OpenSocial features that won't work until we've > got a solid design for that. I'd expect OpenSocial to use one of the > OAuth2 > assertion profiles. At any rate, that work would not be done first. > > Thoughts on this? > > Cheers, > Brian >
