On Feb 1, 2008 7:48 AM, Brian Eaton <[EMAIL PROTECTED]> wrote: > > "In my opinion (although I'm not sure that everyone on the Shindig list > > > agrees with me), there should not be a requirement that your container > and > > > the Shindig server are in the same language, or share code, share > > > datasources, share anything but a handful of shared secrets. The only > thing > > > that you need in your own programming language is the GadgetSigner > (soon to > > > be renamed GadgetTokenSigner) and appropriate subclasses. This is not > more > > > than a couple of lines of code in most cases. (I think they can even > be > > > compiled to standalone Java programs, which are then run from the > > > commandline, so they can be called from any environment)." > > This is a noble goal, but is it realistic? There's a lot of per-user > data the container will have that the gadget needs to peek at: owner > ids, viewer ids, friends lists, OAuth access tokens. > > If we do want to export this information to gadgets the security token > is going to get quite large. Or do you imagine a flow where the > gadget calls back to the parent page to fetch what it needs, then > forwards that info to the gadget server?
This data doesn't ever go into the security token -- the security token is used to retrieve it. Most security token generation schemes will involve encoding a user id or session id or something which is used to look up data on demand by some back end. The security token should contain as little data as possible.
