On Wed, Sep 17, 2008 at 11:31 AM, Brian Eaton <[EMAIL PROTECTED]> wrote: > On Tue, Sep 16, 2008 at 11:26 PM, Eiji Kitamura <[EMAIL PROTECTED]> wrote: >> [2] xoauth_public_key >> >> According to following proposal: >> http://dirk.balfanz.googlepages.com/oauth_key_rotation.html >> >> Public Key Identifier should be specified using "xoauth_public_key". >> Same on google code gadgets site. >> But actual implementation in Shindig seems like using >> "xoauth_signature_publickey". >> >> Which is correct or should they be treated differently? > > I think we should change the spec to use xoauth_signature_publickey, > since that's what real world implementations have done. If there's > consensus on shindig-dev I'll send that proposal to the spec list. > >> App url should be specified using "xoauth_app_url". But it looks like >> there's "opensocial_app_url" mentioned on google code gadgets site. >> Shindig is implemented with "opensocial_app_url" too. >> >> Which is correct or should they be treated differently? > > Both have identical values, so at least we don't have a conflict to worry > about. > > opensocial_app_url was proposed as an alternative to > opensocial_app_id, because opensocial_app_id was difficult for gadget > developers to understand. > > xoauth_app_url was proposed on one of the OAuth mailing lists do deal > with cases where a proxy is using a single key for multiple OAuth > consumers, xoauth_app_url identifies the real application making the > request. > > opensocial_app_url was added most recently, so it's probably the > easiest to do away with, if we want to do so. OTOH, it is doing no > harm. > > Anybody on shindig-dev have a pressing technical reason to prefer one > approach over the other? If we've got a strong technical argument, > I'll present that argument to the spec list. Otherwise I'll just > raise the issue on the spec list as something that requires some > clarification.
I have a pressing need to have an actual url of the app sent in the params. right now, the shindig code does not do this. It doesn't matter what the param is named to me. I'd prefer whatever can be done quickest to get a app url in a signed fetch instead of the 'locally known id' of opensocial_app_id davep
