Ah - suddenly I'm getting why you were talking about access tokens before :)
Would this be for gadgets authenticating towards their "home sites" (so a gadget of lastfm wanting to show data the user previously entered on lastfm), or connecting to third party API's (let's say a fictional Slide gadget wanting to retrieve private photo's from Flickr)? On 2/6/08, Brian Eaton <[EMAIL PROTECTED]> wrote: > > On Feb 5, 2008 12:21 PM, Reinoud Elhorst <[EMAIL PROTECTED]> wrote: > > So I'm wondering what the mystery AUTHENTICATED method should do (it > looks > > like SHINDIG-35 implements it, still English might be easier to get the > big > > picture), and what the goal of this method is (what extra authentication > > would it provide)? > > Glad you asked. AUTHENTICATED is for implementing the full OAuth > protocol flow. Check out http://oauth.net for the gory details, but > here's the basic idea: a user has two accounts on two different sites. > One of them is a gadget container. The other site (which we'll call > the service provider) has some of the user's personal data. The user > would like to display some of their data from the service provider on > the gadget container site. > > The traditional way to do this is for the container site to ask for > the username and password for the service provider site, and then > screen scrape the user's data. This is not a good model, and we'd > like to discourage opensocial gadgets from following this pattern. > Instead, they can use OAuth to get the user's permission to view their > data, without needing their password. It works like this: > > - the container notifies the service provider that they are going to > request permission to view a user's data. > - the container then redirects the user to an approval page on the > service provider side. > - the user gives their approval to view the data > - the container then receives a secret value that they can use to pull > the data from the service provider's site. > > Users don't need to give out their passwords to everyone who asks, and > they keep control over who gets to see their data. Service providers > can allow users to grant temporary access to their data, or revoke > access if they decide they don't trust a container any longer. > > Cheers, > Brian >
