Hi Akash, It might be better to direct your questions to the [email protected] mailing list, my expertise is more to the server side, and I might not always be around to answer emails either, so in either case the opensocial-api group is a much better bet!
To your question, no to make a verified call to your app server, you would use a signed request; The mail you linked to was about the RESTful interface as defined in the 0.8.1 spec which is intended for server to server communications, and not directly for gadgets (since they have easier to use JS API's for getting information) A great place to find lots of articles (including about signed requests) is http://code.google.com/p/opensocial-resources/ In this case you probably would want to read: http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSignedRequests Now about the gadget xml, yes a lot of containers expose where the XML file lives, however is it really a problem that people know your app server lives on my.foo.com ?As long as you check the requests using the containers certificate (see linked article above) you can validate that if incoming call is indeed from orkut, and if not, just ignore it.. ps, even if you were able to hide the gadget xml, people could still see the calls being made from their browser (with anything like firebug, tcp logging, etc), and security-through-obscurity never works out well in practice :) Hope that helps! -- Chris On Tue, Dec 9, 2008 at 6:00 PM, Akash Xavier <[EMAIL PROTECTED]> wrote: > Hi Chris > > I am developing an OpenSocial app. My OS app needs to be able to store > data, so I'm using an app server. When I make requests I need to be able to > verify on the app server whether it is the gadget that is making the call. I > found the following snippet in John Panzer's post here > http://groups.google.com/group/oauth/msg/a143e3e0242d64cd > > " > The container needs to be able to tell the app's server "here is a request > from me, container C, from gadget G, in the context of Y's page, being > viewed by user Z". The app's server needs to be able to verify that the > container indeed claims this to be true. > " > > I understand that I need to use OAuth for this. But any good docs or > tutorials for using OAuth? > I'm developing my app for Orkut OpenSocial. Orkut is currently running > OpenSocial 0.8 as per latest updates. Any docs you can point me to? Examples > probably? > Or is there any other way of doinging this? Or at the very least, I don't > want people to look at my gadget XML file so that they don't know the API > urls to my app server. Does shindig expose the app's gadget file url? > > Thanks > > -- > Akash Xavier > [EMAIL PROTECTED] > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
