On 1/30/08, Brian Eaton <[EMAIL PROTECTED]> wrote: > > I'm not sure I understand your question. Could it be paraphrased as > "how does the container know that the gadget has the permission to > reveal the viewer ID by making a phone home request?"
If you replace "container" by "gadget server", that's affirmative; as I understand it, the secure phone home (in case of running one's own gadget server) does not go through the container, right? so: "how does the gadget server know that the gadget has the permission to reveal the viewer ID by making a phone home request?" Problem is that only the container-webpage knows whether this permission has been obtained (in the general case, obviously sometimes the permission is always granted or denied). So either the call needs to go through the container page, or the gadget needs to have some token that affirms that it has access to the viewer_id (or viewer_whatever), which needs to be checked by the gadget server. If that's the question, then I think the answer is you need an access > control layer of some type within the container. The container needs > to know that revealing the viewer ID is acceptable to the user. This > gets into some interesting topics, like how should the viewer ID be > chosen (is it an e-mail, or a username, or just an opaque value unique > to each user? Should different gadgets see different viewer IDs for > the same user, or should gadgets be able to correlate viewer IDs?) > Does anyone know if the opensocial specs have touched on these > questions? Actually, I posted the some of these questions on the OpenSocial some days back, and Arne is trying to find someone for me that can answer those questions :) http://groups.google.com/group/opensocial-api/browse_thread/thread/11d9300e61a2577a Reinoud
