John, thanks for the idea. That might be good enough security, but consider that you're open to bots (or humans) registering themselves with stolen ids. I would prefer if Google provided a simple functionality to authenticate users, a kind of 'quick path', since it would be so usable, and is asked from many different corners.
Cheers, PS On Thu, Dec 18, 2008 at 6:08 PM, John Weidner <studyst...@gmail.com> wrote: > > I just wrote a custom gadget that prompts for a username and > password. Then I use makeRequest to send these credentials along > with their open social viewerId. On the server side, if the username > and password are correct, I store the viewerId in my user database for > that user. So now I know the viewerId for these users. But I'm > currently doing this without signed authentication. > > On Dec 15, 7:19 am, psvensson <psvens...@gmail.com> wrote: > > I just want to report back to my server the unique friend connect id > > and basic info of the current viewer. How hard can it be? > > > > I might not have understood how to do this correctly, but here's what > > I have done; > > > > 1. I have made sure that friend connect works on my site canvas, rpc- > > html, basic widgets and all that jazz. > > 2. I have made a simple custom widget, I call osaccess.xml which gets > > pulled in OK (Which I can see in firebug. It's of course proxied by a > > google server, but the content that gets in the browser is the same > > that I wrote). > > 3. From JS inside that custom widget, I make a request back to my > > server. It works fine if I use NONE as authorizationtype. > > 4. When I switch to SIGNED, I want to utilize that the google proxy > > guarantees id, and packs a lot of good info about the user/viewer. > > > > The code looks like this; > > > > function foo() > > { > > ..... > > var params = {}; > > params[gadgets.io.RequestParameters.CONTENT_TYPE] = > > gadgets.io.ContentType.TEXT; > > params[gadgets.io.RequestParameters.AUTHORIZATION] = > > gadgets.io.AuthorizationType.SIGNED; > > params[gadgets.io.RequestParameters.REFRESH_INTERVAL] > > = 5; > > var url = "http://howtobethechange.appspot.com/ > > osaccess/"; > > console.log("calling url... '"+url+"'"); > > gadgets.io.makeRequest(url, reqcb, params); > > }; > > > > function reqcb(data) > > { > > console.log("reqcb called...."); > > console.dir(data); > > } > > > > The reqcb always reply "404: not found" when I use SIGNED. > > > > What is it that is not found? > > > > Where can I read about examples on how to set this up. It seems to be > > the absolutely single first, top of mind, thing that any pgroammer > > want to do and sort of _the whole point_ of friend connect - to report > > back the certified user id of the current viewer to the site hosting > > the widgets. > > > > What am I missing? > > > > I should point out that I have registered my site athttps:// > www.google.com/accounts/ManageDomains, using a x.509 PEM > > certificate. It feels like there is a 'magic' url I have to provide > > (though I can't find any access from any google proxies or anything > > else when running the script). > > > > Very thankful for any advice. > > > > Cheers, > > PS > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---