[
http://jira.amdatu.org/jira/browse/AMDATUAUTH-17?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12926#comment-12926
]
Ivo Ladage - van Doorn commented on AMDATUAUTH-17:
--------------------------------------------------
Preapproved request tokens should be supported by the OAuth server to
facilitate OAuth calls from the consumer to the provider which do not need the
users approval. This means that the consumers API can only be used to store
user-specific data that is provides by the consumer itself.
Examples in which case 2-legged OAuth can/should be used:
- A gadget invokes a reporting API, which returns data that is in no way
user-specific
- A gadget uses a remote file service API to store personal user documents.
These documents are stored in a specific consumer space such that no other
consumers can access it.
Example in which case 2-legged OAuth should NOT be used:
- A gadget stores photos in an Album service API. The photos are stored per
user and the username is send along with the request from the gadget container.
This should not use 2-legged OAuth since the photos can also be accessed from
other consumers.
>From these examples it is clear that the Service API determines if 2-legged
>OAuth and/or 3-legged OAuth is required. The Service API should this be
>capable of retrieving this info from the acquired token. Sop:
- The request token servlet should be enhanced with an additional
'preapproved=true' parameter to request a preapproved request token
- The 'is pre-approved token' becomes a property of the token, which can be
retrieved by the Service API being invoked with OAuth
- Pre-approved access tokens never contain a user id
> Support preapproved request tokens for 2-legged OAuth
> -----------------------------------------------------
>
> Key: AMDATUAUTH-17
> URL: http://jira.amdatu.org/jira/browse/AMDATUAUTH-17
> Project: Amdatu Auth
> Issue Type: New Feature
> Components: OAuth server
> Affects Versions: 0.1.0
> Reporter: Ivo Ladage - van Doorn
> Assignee: Ivo Ladage - van Doorn
> Labels: blueconic
> Fix For: 0.2.2
>
>
> Gadgets rendered in the Amdatu OpenSocial container usually will want to use
> 2-legged oAuth with preapproved request tokens. To support this the following
> enhancements need to be implemented:
> - Add a servlet to the oAuth server that facilitates generating preapproved
> request tokens
> - a addModule callback to add gadgets to the preapproved gadget store
> As an example the course gadget should use this new 2-legged approach. The
> friends gadget should use the full blown 3-legged approach (see
> http://jira.amdatu.org/jira/browse/AMDATU-211)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
http://jira.amdatu.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers
