Yes, the reference OAuth 2.0 implementation code uses an anonymous security token so to accomplish your use case you'd have to modify it or make some extensions.
You could modify the access token to include the viewer ID or you could try storing the viewer ID with the HttpSession and retrieve it from there if this is all occurring within the same web application. Matt |------------> | From: | |------------> >-----------------------------------------------------------------------------------------------------------------------------------------| |Ronny Roeller <[email protected]> | >-----------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >-----------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >-----------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >-----------------------------------------------------------------------------------------------------------------------------------------| |11/23/2011 03:40 AM | >-----------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >-----------------------------------------------------------------------------------------------------------------------------------------| |OAuth2+REST API: how to retrieve the viewer? | >-----------------------------------------------------------------------------------------------------------------------------------------| Hi community, I'm testing the new OAuth2 implementation (3.0.0-beta3). After retrieving my access-token, I'm sending requests to the REST API but can't figure out the viewer in my SPIs. For example: 1. As user 'sue' I'm requesting an access-token 2. Shindig gives me the access-token 7173531c-57da-44d7-a4fe-52cae0faa3e1 3. I request information about user 'joe': /social/rest/people/joe/@self?access_token=7173531c-57da-44d7-a4fe-52cae0faa3e1 4. My PersonService decides based on the viewer how much information to return (e.g. 'sue' may be an administrator and see more available data points). How could I figure out in my PersonService that the viewer of the request was 'sue'? One possible solution I found: I could extend OAuth2Code with the viewerId and then set the value when creating the accessToken in OAuth2Service.generateAccessToken(). I use this access token to create a SecurityToken in OAuth2AuthenticationHandler:getSecurityTokenFromRequest() [instead of returning the AnonymousSecurityToken]. Does this make sense? What would be the suggested solution approach? Many thanks, Ronny
