I think what you want to do is use signed fetch - a feature of the gadget server, but this starts by using gadget security tokens with your container. Your gadget container should put the id of the logged in user in the gadget token and includes it in the iframe urls when it is serving your container page. This token is included when a gadget does a makeRequest call to get the RSS feed. This is security token is then available in the gadget server when it receives the makeRequest call and can send those attributes along to the RSS server in a singed fetch. The gadget server signs the values that were once in the security token but are now included as url parameters in a signed fetch. The gadget server makes the request on behalf of the user/gadget and all that is left if for the RSS feed server to handle the signed fetch, verify the signature and return the results
http://www.opensocial.org/Technical-Resources/opensocial-spec-v08/gadgets-reference08#gadgets.io.makeRequest davep On Fri, Oct 3, 2008 at 6:46 AM, <[EMAIL PROTECTED]> wrote: > Ok, i begin to understand what OAuth is used for.... and i think it's not > really what i need.... > > Let's reexplain : > > I have a portal that can hold shindig gadgets (not social, for instance an > RSS reader). The portal itself serves RSS feed that are protected resources. > When i want to present a RSS gadget that use a reentrant RSS feed, how can > shindig proxy bind the portal credentials throw a makeRequest call ? > > Let's see an example : > > http//myportal/site/veryprivatedocs/globalEarnings.rss is a feed that only > me can see > > http://myportal/site/mydashboard is a collection of RSS Feeds gadgets and > one of this gadget points to the precedent feed. > > In this case, the portal (the container) renders an iframe with the RSS > gadget that calls gadgets.io.makeRequest method that binds to the > makeRequest servlet of shindig. > > But how can the shindig servlet authentify itself as the same user of the > portal (me) ? > > Thx for the explanations > > > > > > Le 2 oct. 08 à 11:59, Ian Boston a écrit : > >> My understanding of CAS is that is that its a WebISO type Authentication >> System between browser and server, uses browser redirects to a central CAS >> server for authenticating the user and then redirects back to the target >> application. I cant remember if there is a server to server credential >> exchange or if all credential exchange is via the browser (like WebAuth). >> >> OAuth is a server to server authorization mechanism that allows a User the >> ability to grant a server to talk to another server and perform specific >> operations. eg MySpace can display your Flickr album once you have told >> Flickr that its Ok, and transported the OAuth token back from Flickr to >> MySpace so that the MySpace servers can contact the Flickr web service >> directly. >> >> >> So Shindig + CAS. >> >> Shingid itself doesn't authenticate the User, as its only re reference >> implementation of the standard and not a full blown Social Network >> Application. To make Shindig embedded into an application you would put a >> CAS filter (either at mod_cas, or as a Servlet Filter) over the URLs that >> need protecting, probably just the social-api urls. >> >> Then in your implementation of the Service Provider Interfaces you would >> bind to the CAS credentials and use that to ensure that the service requests >> from the social API are bound to the logged in user attached to the request >> thread. >> >> Does that make sense, if not say and I can point you to the code that you >> need to implement. >> >> Ian >> >> On 2 Oct 2008, at 09:45, <[EMAIL PROTECTED]> >> <[EMAIL PROTECTED]> wrote: >> >>> Hello, >>> >>> I'm developping a portal on top of an Open source ECM solution. This >>> portal embeds shindig to serve opensocial gadgets. >>> >>> The portal is CAS compliant. Our problem is that when a gadget (for >>> instance an RSS Reader) wants to access RSS Feed on this portal, >>> shindig doesn't have the credentials to make the proxied request. >>> >>> I'm trying to explore the authentication mechanism of shindig, but if >>> someone has any advice for me (where to begin ? OAuth explanation >>> etc...) it would be great ! >>> >>> -- >>> Damien METZLER >>> >>> >>> >>> >>> Ce message et toutes les pièces jointes sont établis à l'attention >>> exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce >>> message par erreur, merci de le détruire et d'en avertir immédiatement >>> l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce >>> message, le contenu de ce message ne représente en aucun cas un engagement >>> de la part de Leroy Merlin. >>> >> > > -- > Damien METZLER > SIF - Leroy Merlin France - Tel : 03 28 80 89 03 > >
