Perhaps a Googler can jump in on this Google allows Oauth apps to use ³anonymous² as their consumer key, with ³anonymous² as their consumer secret. These apps do not need to pre-register for a consumer key.
See bullet point #2 in Google¹s Oauth docs regarding the ³anonymous² consumer key: http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth This also means that the oauth_callback URL is not bound to any particular domain and can be anything. I personally think that this is a great way to lower the barrier for developers to start using Oauth protected APIs. However, Yahoo and many other Service Provders are not able to allow for the anonymous consumer key due to legal requirements (we require our developers to agree to a legal terms of use), as well as business requirements (we want contact info for our developers). As far as the original poster¹s question asking how Service Providers can implement this I think the anonymous consumer key implementation is pretty straightforward. I suppose the UI for the approval screen as well as the token management/revocation screens could be strange (what does the SP call the app on these screens?). It could also be tricky to implement a kill switch if the SP wants to pull the plug on a rogue app using the anonymous consumer key. Allen On 2/20/10 11:33 PM, "Vinod facebook" <vinod.faceb...@gmail.com> wrote: > Hi zemi, > > This can be done using asymmetric key cryptography. For example if > abc.com <http://abc.com> is a service provider and if they wanna add a gadget > to google.com <http://google.com> (consumer) to offer their services to their > clients using google.com <http://google.com> . Google signs all requests to > service provider using a private key and the service provider uses a public > certificate provided by google to verify all the requests originating from > google to be authentic and legitimate. This signing and validation of request > messages happens at both the ends(consumer and service provider). With this, a > prior registration is not required on the service provider side. > > A list of open social public certificates are provided in the following link: > > https://opensocialresources.appspot.com/certificates > > The following link provides you an insight into implementing signed fetch > using asymmetric key cryptography. The same can be used with 3-legged oauth. > > http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests > > Note: There is no such 'anonymous consumer key' as per my understanding. If > you view the list of public certificates, along with the public certificate a > corresponding oauth_consumer_key is provided and is a fixed value. > > With Regards, > R.Vinod Kumar > > > > On Fri, Feb 19, 2010 at 5:49 AM, zemi <matusz...@gmail.com> wrote: >> Hi everybody, >> I need a consumer to request (3-legged) 'request' tokens without >> previous registration on provider side. >> I've noticed Google and Plaxo support this with 'anonymous' consumer >> key? How exactly is this then handled on provider side? Do they create >> token only or consumer key also? >> Thanks for help folks! >> >> Regards, >> zemi >> >> -- >> You received this message because you are subscribed to the Google Groups >> "OAuth" group. >> To post to this group, send email to oa...@googlegroups.com. >> To unsubscribe from this group, send email to >> oauth+unsubscr...@googlegroups.com >> <mailto:oauth%2bunsubscr...@googlegroups.com> . >> For more options, visit this group at >> http://groups.google.com/group/oauth?hl=en. >> > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
