I'd like to see OpenSocial adopt OAuth 2.0 rather than WRAP. I'd go further and say that a good target for this to happen is OpenSocial 1.1 next, which is tentatively scheduled for June/July 2011. This allows us to start building out the implementation now, in shindig extras, and allow that to be the prototype required by the OS dev. process. This also allows the spec and the implementation to rely on an official standard.
-Mark W. From: Brian Eaton <[email protected]> To: [email protected] Date: 08/13/2010 05:35 PM Subject: Re: OAuth WRAP client support in Shindig? On Thu, Aug 12, 2010 at 12:18 AM, John Hjelmstad <[email protected]> wrote: > Generally sounds fine to me. A few thoughts: > > 1. Is it expected that WRAP will simply be a subset of OAuth2 or will we > require a separate OAuth2 code path? > I think that WRAP is a subset of OAuth2, plus some parameter changes. The basic web server flow has seen no fundamental changes. > 2. The messaging I've generally heard is that OAuth2 will pretty much > completely replace WRAP. In practice I doubt that will be the case in full, > which could mean we're stuck supporting barely-used code. Thoughts on this? > Could happen. 3. Can you give a sense (anecdotal is fine) of how widely used WRAP is these > days, ie. the value of supporting it for the code base? > Live at Microsoft, and at Google. Google is not widely documenting our WRAP support. We needed it for a few particular use cases, and it is being quietly used there. > 4. How much new code do you expect in OAuthRequest, roughly? It seems that > class is already getting quite large... I think this is the big question. The other question is if/when OpenSocial will adopt the OAuth2 crypto proposals. They've been dropped from the core spec due to lack of consensus, but I think we did arrive at something that OpenSocial will want some day. Cheers, Brian
