On Feb 1, 2008 12:04 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > Reinoud's post about his first steps with Shindig sparked an > interesting discussion I want to pull into a separate thread. Our > story so far: > > Reinoud suggested that the container and the gadget server not need to > share the same data sources, just a few encryption keys.[1] > > Kevin agreed. [2] > > I said I didn't think not sharing data sources was realistic, because > too much information would need to go in the security token. [3] > > Kevin also agreed with that, at which point I got confused. > > The main reason I think we'll need to share data sources between the > container and the gadget server is OAuth; there are per user access > tokens that the gadget server needs access to. That implies the > container and the gadget server are both using the same backend for > their users. Or am I missing something?
Every container could have it's own back end that understands the security token. There's no need to pass anything other than the most basic data required to authenticate. Example: Container generates token that contains: current viewer, owner of the current page, and the url of the gadget that was rendered. It gets passed to the iframe as #st=<base 64 encoded token> opensocial feature uses gadgets.io.makeRequest and forwards the token itself to the target back end (alternatively, if it's on the same host, it could simply make a normal XHR). App data back end decrypts the token and returns data for whatever the current request requires (friend graph, app data, whatever). The *gadget server* doesn't care about authentication (other than validation of tokens in some special cases, like signed proxy requests). It's the *app data* servers that actually need to know about this. It's possible for the gadget server to also be an app data server, of course, but I think that this is impractical for real websites.
