On Feb 5, 2008 12:21 PM, Reinoud Elhorst <[EMAIL PROTECTED]> wrote: > So I'm wondering what the mystery AUTHENTICATED method should do (it looks > like SHINDIG-35 implements it, still English might be easier to get the big > picture), and what the goal of this method is (what extra authentication > would it provide)?
Glad you asked. AUTHENTICATED is for implementing the full OAuth protocol flow. Check out http://oauth.net for the gory details, but here's the basic idea: a user has two accounts on two different sites. One of them is a gadget container. The other site (which we'll call the service provider) has some of the user's personal data. The user would like to display some of their data from the service provider on the gadget container site. The traditional way to do this is for the container site to ask for the username and password for the service provider site, and then screen scrape the user's data. This is not a good model, and we'd like to discourage opensocial gadgets from following this pattern. Instead, they can use OAuth to get the user's permission to view their data, without needing their password. It works like this: - the container notifies the service provider that they are going to request permission to view a user's data. - the container then redirects the user to an approval page on the service provider side. - the user gives their approval to view the data - the container then receives a secret value that they can use to pull the data from the service provider's site. Users don't need to give out their passwords to everyone who asks, and they keep control over who gets to see their data. Service providers can allow users to grant temporary access to their data, or revoke access if they decide they don't trust a container any longer. Cheers, Brian
