On Fri, Mar 19, 2010 at 2:45 PM, Brian Eaton <[email protected]> wrote: > > Ah, the other reason plaintext doesn't work is because one of the > goals is to guarantee the integrity of the identity information passed > in the request - neither the application author nor the viewer of the > application is permitted to tamper with those parameters.
I don't think so. In the OpenSocial case, the only "OAuth Consumer" per se is the OpenSocial container. The gadget is not making signed requests and is completely trusting the container to represent it properly to the OAuth Provider. In other words, from an OAuth request flow perspective, the gadget is pretty much irrelevant. Because of this, on my reading OpenSocial gadgets will have a hard time making use of general purpose APIs, because general purpose APIs will ignore the opensocial_viewer_id parameter, which is the key to figuring out what application user is making the request. In other words, the gadget and the OAuth provider must completely trust the OpenSocial container to correctly represent the user making the request. Am I reading it wrong? Ethan _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
