Hi Mark, I've talked some of my more OAuth-experienced colleagues to try and get these issues resolved. Here are responses to the points in your posts:
1. Documentation/spec compliance: Clearing up mistakes in documentation can be accomplished by modifying: "iGoogle uses the draft OAuth Gadgets Extension to provide the URL of the gadget on whose behalf the request is being made to service providers" to instead read: "iGoogle uses the OpenSocial specification [http://code.google.com/apis/opensocial/docs/ 0.8/reference/gadgets/#gadgets.io_method_detail] to provide the URL of the gadget on whose behalf the request is being made to service providers". This change should be made shortly. Because we've opted to use the OpenSocial specification rather than the OAuth Gadgets Extension, the request will include opensocial_app_url instead of xoauth_app_url. 2. Is Google including the scope query parameter? Google includes the scope query parameter: all query parameters and application/x-www-form-urlencoded POST parameters are included. This conforms to section 9.1.1 of the OAuth spec, which states that HTTP GET parameters added to the URLs in the query part are included in the signature base string. 3. Is the trailing / dropped from the query path? The slash is not dropped. 4. Is Google including the "xoauth_signature_publickey" value? Yes. All parameters are included in the base string. 5. Where is a python OAuth provider that supports RSA signature verification? This code is a good example: http://code.google.com/p/oauth/source/browse/code/branches/termie/python/oauth/rsa.py I hope this helps you get your signature base string/validation working. If you have any other questions or comments, please let me know. Thanks, Dan On Jan 16, 1:10 pm, Mark Paine <[email protected]> wrote: > Just another quick note: > > The document at...http://code.google.com/apis/gadgets/docs/oauth.html > ...states that "Google uses the draft OAuth Gadgets Extension to > provide the URL of the gadget on whose behalf the request is being > made to service providers". > > But the draft spec that it links to state specifically: > > > This extension defines one additional OAuth parameter to be used in OAuth > > requests originating from an > OAuth consumer: > > xoauth_app_url: > > The URL of the gadget originating the OAuth request. > > A consumer MUST include the xoauth_app_url parameter in requests to the the > > Request Token URL and > > Access Token URL at the Service Provider > > That's not what Google has implemented: > > > opensocial_app_id%3D10744\9613425304803885 > > opensocial_app_url%3Dhttp%3A%2F%2Fhosting.gmodules.com%2Fig%2Fgadgets%2Ffile%2F102845035461294445368%2Fexercise_oauthtest_test.xml > > opensocial_owner_id%3D101691534457182538500 > > opensocial_viewer_id%3D101691534457182538500 > > Clearly, Google's implementation provides the same information by way > of the "opensocial_app_url" information, but it cannot claim to adhere > to the draft spec. > > I'm sorry if it sounds like I just want to bash, but that's not my > goal. I just want to have a clear roadmap along with clear and > *correct* documentation to get there. I've made a big commitment to > the gadgets platform and I'm hoping that Google will show the same > commitment. > > -Mark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "iGoogle Developer Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Gadgets-API?hl=en -~----------~----~----~----~------~----~------~--~---
