Thanks for both answers! Vinod: Can using certificates be replaced by SSL connection (isn't OAuth WRAP about it?) or is it something different?
I would like to use this 'anonymous-consumer' approach in distributed application so any of these app instances can use others services without pre-registration. But at the same time I need to 'auto' register the consumers the way they are unique (URL?) so I can identify them on provider side - that an user can revoke access token later if needed. Do I actually need to create consumer key/secret for each request or the token only? What do you think? Regards, Matus On Feb 22, 2:50 am, Allen Tom <a...@yahoo-inc.com> wrote: > Perhaps a Googler can jump in on this Google allows Oauth apps to use > ³anonymous² as their consumer key, with ³anonymous² as their consumer > secret. These apps do not need to pre-register for a consumer key. > > See bullet point #2 in Google¹s Oauth docs regarding the ³anonymous² > consumer > key:http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth > > This also means that the oauth_callback URL is not bound to any particular > domain and can be anything. > > I personally think that this is a great way to lower the barrier for > developers to start using Oauth protected APIs. However, Yahoo and many > other Service Provders are not able to allow for the anonymous consumer key > due to legal requirements (we require our developers to agree to a legal > terms of use), as well as business requirements (we want contact info for > our developers). > > As far as the original poster¹s question asking how Service Providers can > implement this I think the anonymous consumer key implementation is pretty > straightforward. I suppose the UI for the approval screen as well as the > token management/revocation screens could be strange (what does the SP call > the app on these screens?). It could also be tricky to implement a kill > switch if the SP wants to pull the plug on a rogue app using the anonymous > consumer key. > > Allen > > On 2/20/10 11:33 PM, "Vinod facebook" <vinod.faceb...@gmail.com> wrote: > > > > > Hi zemi, > > > This can be done using asymmetric key cryptography. For example if > > abc.com <http://abc.com> is a service provider and if they wanna add a > > gadget > > to google.com <http://google.com> (consumer) to offer their services to > > their > > clients using google.com <http://google.com> . Google signs all requests to > > service provider using a private key and the service provider uses a public > > certificate provided by google to verify all the requests originating from > > google to be authentic and legitimate. This signing and validation of > > request > > messages happens at both the ends(consumer and service provider). With > > this, a > > prior registration is not required on the service provider side. > > > A list of open social public certificates are provided in the following > > link: > > >https://opensocialresources.appspot.com/certificates > > > The following link provides you an insight into implementing signed fetch > > using asymmetric key cryptography. The same can be used with 3-legged oauth. > > >http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests > > > Note: There is no such 'anonymous consumer key' as per my understanding. If > > you view the list of public certificates, along with the public certificate > > a > > corresponding oauth_consumer_key is provided and is a fixed value. > > > With Regards, > > R.Vinod Kumar > > > On Fri, Feb 19, 2010 at 5:49 AM, zemi <matusz...@gmail.com> wrote: > >> Hi everybody, > >> I need a consumer to request (3-legged) 'request' tokens without > >> previous registration on provider side. > >> I've noticed Google and Plaxo support this with 'anonymous' consumer > >> key? How exactly is this then handled on provider side? Do they create > >> token only or consumer key also? > >> Thanks for help folks! > > >> Regards, > >> zemi > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "OAuth" group. > >> To post to this group, send email to oa...@googlegroups.com. > >> To unsubscribe from this group, send email to > >> oauth+unsubscr...@googlegroups.com > >> <mailto:oauth%2bunsubscr...@googlegroups.com> . > >> For more options, visit this group at > >>http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
