This is a relatively complicated issue, since: - User IDs can only be authenticated by the container where they came from. You would need namespaces for user IDs. - You would need to either: 1. exchange a secret with each container that embeds your app or 2. call back to the container for every single transaction in order to validate a session key to user ID mapping
I have a suggestion regarding how they might implement #1 at the end of my post: http://hyper.to/blog/link/opensocial-insecurity-no-user-to-app-authentication/ On Nov 4, 12:10 pm, "Jay Hoover" <[EMAIL PROTECTED]> wrote: > Great, thanks for the pointer Rick. > > -jay > > On Nov 4, 2007 1:13 AM, RickMeasham <[EMAIL PROTECTED]> wrote: > > > > > On Nov 4, 4:39 pm, "Jay Hoover (Snapvine)" <[EMAIL PROTECTED]> > > wrote: > > > This is great, but how do I > > > really know that I'm not being spoofed? Let's assume that this is > > > important because we are dealing with some resource outside of orkut > > > (our service). > > > There's a couple of other threads talking about this .. I asked Arne > > about it in the IRC channel .. fix is days away: > > >http://jaiku.com/channel/OpenSocial/presence/16633371 > > > Cheers! > > Rick Measham --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
