Here is the scenario: A user has installed my application. This user (the owner) can change stuff in this gadget, visitors can just look at it. Opensocial let's me know that visitor.id == owner.id. This is great, but how do I really know that I'm not being spoofed? Let's assume that this is important because we are dealing with some resource outside of orkut (our service).
Facebook API gives you an easy way to do this. The facebook ID you get back is accompanied by a fb_sig based on a MD5 digest. Your server can be relatively certain that the facebook ID you got back isn't faked. Is there any similar mechanism planned for OpenSocial? -jay --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
