On Sat, Jan 17, 2009 at 11:27:30PM -0800, Jordan Zimmerman wrote: > What's unclear to me is how that appid gets communicated to > Shindig. I haven't crossed the OAuth bridge yet. So, maybe I'll > figure that out when I get there.
When a gadget calls into shindig: 1. Container decides to render gadget "123abc". It creates a signed token containing the appId, owner and viewer ids, appUrl. Places the token in the url for an iframe that will contain the gadget. 2. Gadget renders, reads the token from the url. 3. Gadget calls into shindig and sends the token as part of the call. 4. Shindig verifies token, gets all the data out of it and calls into whatever method is needed for the request with the verified data from the token. When a REST call is made from the app's home servers: 1. Container gives gadget author an oauth key. 2. Author's servers make a call into shindig, using 2 legged oauth for authentication. If needed as an argument for the call, the server may either specify an arbitrary appId or send an special token meaning "the authenticated app". 3. Shindig passes into the method call both the caller provided appId and the authenticated data from oauth. In either case, since the ultimate call goes into the same methods, it is the responsability of your implementation to see if the caller provided appId matches the authenticated one, and to decide what to do if they don't.
