Hi Nate,
Yeah, part of the proposal is to include container-verified Viewer/
Owner and Application IDs in the phone home calls.
~Arne
On Dec 6, 11:31 am, nate <[EMAIL PROTECTED]> wrote:
> Restricting by IP address is definitely a bad way to go. It ties the
> functionality of your application to the (each) container's network
> topology.
>
> I think we just have to be patient and wait for the OpenSocial
> developers to release a mechanism for authentication. They've said
> they are working on it repeatedly, and I'm sure it's their top
> priority (because they said so).
>
> The OAuth request signing mechanism allows the service provider (your
> app's home site) to verify that it's talking to the container and not
> an impostor using shared secrets. That way, you don't need to check
> for IPs or do anything else hinky.
>
> My only suggestion (that I have not heard explicitly from any O.S.
> people) is that they make sure to include verified information about
> the gadget owner and viewer. This is not part of OAuth, and it
> doesn't sound like the O.S. developers are going to implement OAuth in
> its entirety. This is an O.S.-specific feature that containers would
> be required to implement.
>
> nate
>
> On Dec 5, 8:06 am, "Luciano Ricardi" <[EMAIL PROTECTED]> wrote:
>
> > (...)"until the OAuth be implemented"(...)
>
> > What I've said is that some implementations, more simple, could be made
> > until OAuth be implemented.... We don't know when the OAuth will be part of
> > the OpenSocial... there is no information about date releases here:
>
> >http://groups.google.com/group/opensocial/web/whats-up-with-opensocial
>
> > On Dec 5, 2007 12:07 PM, Paul Lindner <[EMAIL PROTECTED]> wrote:
>
> > > Please read this:
>
> > >http://opensocialapis.blogspot.com/2007/11/improved-content-fetching-...
>
> > > On Wed, Dec 05, 2007 at 11:01:47AM -0300, Luciano Ricardi wrote:
> > > > I really think that some few changes on the working method of
> > > > _IG_FetchContent() could bring some great security gains on OpenSocial
> > > until
> > > > the OAuth be implemented.
>
> > > > Let's take the Orkut Sandbox for an example:
>
> > > > 1 - We received the calls from Sandbox Proxies just from 3 proxies...
> > > > 66.249.84.15
> > > > 72.14.195.49
> > > > 74.125.16.6
>
> > > > Well, so we can implement security procedures on our codes that prevent
> > > to
> > > > deliver content to anauthorised IPs. This is a good enhancement in
> > > security,
> > > > but we need some way to get this IP's List. We got this IP's from the
> > > access
> > > > logs of the web server...
>
> > > > 2 - The request that comes from the proxies is like this:
>
> > > > "GET
>
> > > /gadgets/view_content.php?id_orkut=02772430860366983940&.cache=3239336552
> > > > HTTP/1.1"
>
> > > > The id_orkut is the parameter that we put on our gadget code. The
> > > ".cache"
> > > > is appended by the proxy server. Well, why not to append the real id of
> > > the
> > > > gadget viewer? This could grant that the caller of _IG_FetchContent is
> > > the
> > > > viewer of the gadget.
>
> > > > So.... this is what I suggest for enhance the security of OpenSocial
> > > until
> > > > OAuth be implemented:
>
> > > > 1 - Some method to bring the IPs from the Proxy of the OpenSocial
> > > > containers.
> > > > 2 - Append the Id of the Viewer (or other informations) in the GET
> > > > parameters"
>
> > > > []s
>
> > > > Luciano R.
>
> > > > On Dec 4, 2007 9:37 PM, nate <[EMAIL PROTECTED]> wrote:
>
> > > > > This may or may not be obvious, but I would like to make a request
> > > > > regarding the data that will get signed into _IG_Fretch_Content()
> > > > > requests originating from OpenSocial containers.
>
> > > > > I think the primary thing that Service Provider apps will want to
> > > > > validate is the viewer/owner relationship. To that end, it would be
> > > > > really handy to make every _IG_Fretch_Content() request contain a
> > > > > signed:
> > > > > * gadget owner ID
> > > > > * gadget viewer ID
> > > > > * owner/viewer relationship (i.e. "friends" or "public") with
> > > > > respect to the container
>
> > > > > If this info can be made non-spoofable, Service Providers can reliably
> > > > > apply privacy settings, not to mention allow the gadget owner to set
> > > > > privacy settings from within the container.
>
> > > > > Thanks for your consideration, and all your hard work.
>
> > > > > - nate
>
> > > --
> > > Paul Lindner
> > > hi5 Architect
> > > [EMAIL PROTECTED]
>
> > --
> > Luciano
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OpenSocial API Definition" group.
To post to this group, send email to opensocial-api@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/opensocial-api?hl=en
-~----------~----~----~----~------~----~------~--~---
