Thanks for the great response, Jesse! FYI there is indeed an implementation of auth-refresh in common container, with a token refresh endpoint impelemented in the metadata APIs (GadgetsHandler/GadgetsHandlerService).
--j On Mon, Dec 20, 2010 at 10:27 AM, Ciancetta, Jesse E. <[email protected]>wrote: > Hi Gabriel, > > The auth-refresh feature just registers a gadgets.rpc endpoint which you > can call from the container side to update the gadget security token -- but > it's up to you in your container implementation to actually maintain the > tokens in the first place. The auth-refresh feature just gives you a hook > to inject the updated token back into the gadget once you have it. > > I think there may be an implementation of the container side code required > to maintain security tokens in the common container feature, but I haven't > really spent any time digging into the common container yet so I'm not sure > if that piece is complete or not. But we have implemented this in our own > container, and our implementation goes something like this: > > -- When the page initializes, a javascript object representing each gadget > on the page is created and stored for later use. > -- We use setInterval to schedule code to run every X minutes that is > responsible for refreshing the security tokens. > -- When the refresh code runs, we enumerate all the gadgets on the page > collecting up their (still current) security tokens and then send them off > to a custom restful service which sends back updated versions of them. > -- We enumerate the updated tokens and distribute them back to each gadget > using gadgets.rpc.call and the "update_security_token" handler registered on > the gadget side through the inclusion of the auth-refresh feature. > > Hope that helps! > > --Jesse > > -----Original Message----- > From: Gabriel Guardincerri [mailto:[email protected]] > Sent: Monday, December 20, 2010 12:56 PM > To: [email protected] > Subject: Re: Is there a way to automatically update the security token to > avoid expiration > > great, do you know how to enable that? Will it refresh the whole gadget or > just the security token? I mean, if the user modified something in the > gadget, will he/she still see that change after that auto-refresh? > > Thanks, > > Gabriel > > On Mon, Dec 20, 2010 at 8:40 AM, Paul Lindner <[email protected]> wrote: > > > There's an auth-refresh feature that you can force as default for > > gadgets. It works by piggybacking a new security token on gadgets.io > > requests. > > > > On Fri, Dec 17, 2010 at 12:01 PM, Gabriel Guardincerri > > <[email protected]> wrote: > > > I forgot to add the error: > > > > > > HTTP Status 401 - Malformed security token > > > > > > default:dJnVqUV6qogiu_uAHZBTvccDdmUDerwbkKxc1-WegpyBLzpI9uz6P8NTF66SJ1kq94wzkYdiFHEaHXGFk7BGQ7A97mMtUqWGCyyk4s5bqCOes7Oh6EkPcPGUUFVPLu5UCbLEd7LIR08PRnIoaHGiaUrCUdPPw-x_UCcVJGz_IL4n2s2tKtJyIzZPba0mnAsUHwUH4fYsmUAuup58Xye3-FEKolHjSsO2Xro9bX_LtALzvY5Yorg.apache.shindig.common.crypto.BlobExpiredException: > > > Blob expired, was valid from Mon Nov 22 20:56:50 PST 2010 to Mon Nov 22 > > > 22:02:50 PST 2010, attempted use at Mon Nov 22 22:07:02 PST 2010 > > > > > > On Fri, Dec 17, 2010 at 9:52 AM, Gabriel Guardincerri < > > [email protected]>wrote: > > > > > >> Hi, > > >> > > >> We are using "BlobCrypterSecurityToken" and that generates security > > tokens > > >> that expire after 1 hour. After that time the app/gadget brakes and > > returns > > >> a 401 ugly error. So I was wondering if there's a way to automatically > > >> refresh that token before it expires to avoid that error and keep the > > >> app/gadget working. > > >> > > >> Thanks, > > >> > > >> Gabriel > > >> > > > > > > > > > > > -- > > Paul Lindner -- [email protected] -- linkedin.com/in/plindner > > >
