Restricting by IP address is definitely a bad way to go. It ties the functionality of your application to the (each) container's network topology.
I think we just have to be patient and wait for the OpenSocial developers to release a mechanism for authentication. They've said they are working on it repeatedly, and I'm sure it's their top priority (because they said so). The OAuth request signing mechanism allows the service provider (your app's home site) to verify that it's talking to the container and not an impostor using shared secrets. That way, you don't need to check for IPs or do anything else hinky. My only suggestion (that I have not heard explicitly from any O.S. people) is that they make sure to include verified information about the gadget owner and viewer. This is not part of OAuth, and it doesn't sound like the O.S. developers are going to implement OAuth in its entirety. This is an O.S.-specific feature that containers would be required to implement. nate On Dec 5, 8:06 am, "Luciano Ricardi" <[EMAIL PROTECTED]> wrote: > (...)"until the OAuth be implemented"(...) > > What I've said is that some implementations, more simple, could be made > until OAuth be implemented.... We don't know when the OAuth will be part of > the OpenSocial... there is no information about date releases here: > > http://groups.google.com/group/opensocial/web/whats-up-with-opensocial > > On Dec 5, 2007 12:07 PM, Paul Lindner <[EMAIL PROTECTED]> wrote: > > > > > Please read this: > > >http://opensocialapis.blogspot.com/2007/11/improved-content-fetching-... > > > On Wed, Dec 05, 2007 at 11:01:47AM -0300, Luciano Ricardi wrote: > > > I really think that some few changes on the working method of > > > _IG_FetchContent() could bring some great security gains on OpenSocial > > until > > > the OAuth be implemented. > > > > Let's take the Orkut Sandbox for an example: > > > > 1 - We received the calls from Sandbox Proxies just from 3 proxies... > > > 66.249.84.15 > > > 72.14.195.49 > > > 74.125.16.6 > > > > Well, so we can implement security procedures on our codes that prevent > > to > > > deliver content to anauthorised IPs. This is a good enhancement in > > security, > > > but we need some way to get this IP's List. We got this IP's from the > > access > > > logs of the web server... > > > > 2 - The request that comes from the proxies is like this: > > > > "GET > > > /gadgets/view_content.php?id_orkut=02772430860366983940&.cache=3239336552 > > > HTTP/1.1" > > > > The id_orkut is the parameter that we put on our gadget code. The > > ".cache" > > > is appended by the proxy server. Well, why not to append the real id of > > the > > > gadget viewer? This could grant that the caller of _IG_FetchContent is > > the > > > viewer of the gadget. > > > > So.... this is what I suggest for enhance the security of OpenSocial > > until > > > OAuth be implemented: > > > > 1 - Some method to bring the IPs from the Proxy of the OpenSocial > > > containers. > > > 2 - Append the Id of the Viewer (or other informations) in the GET > > > parameters" > > > > []s > > > > Luciano R. > > > > On Dec 4, 2007 9:37 PM, nate <[EMAIL PROTECTED]> wrote: > > > > > This may or may not be obvious, but I would like to make a request > > > > regarding the data that will get signed into _IG_Fretch_Content() > > > > requests originating from OpenSocial containers. > > > > > I think the primary thing that Service Provider apps will want to > > > > validate is the viewer/owner relationship. To that end, it would be > > > > really handy to make every _IG_Fretch_Content() request contain a > > > > signed: > > > > * gadget owner ID > > > > * gadget viewer ID > > > > * owner/viewer relationship (i.e. "friends" or "public") with > > > > respect to the container > > > > > If this info can be made non-spoofable, Service Providers can reliably > > > > apply privacy settings, not to mention allow the gadget owner to set > > > > privacy settings from within the container. > > > > > Thanks for your consideration, and all your hard work. > > > > > - nate > > > -- > > Paul Lindner > > hi5 Architect > > [EMAIL PROTECTED] > > -- > Luciano --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial API Definition" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
