OK, I'm starting to understand.....
Is there any idea yet on how this should work. Let's say that I do a
gadgets.io.makeRquest("http://www.example.com/something",callback, {
gadgets.io.RequestParameters.AUTHENTICATION :
gadgets.io.AuthorizationType.AUTHENTICATED})
Now, I assume this will only work if there is some information on the
gadget-server on the "request URLs" for
http://www.example.com/something(since no discovery is in oAuth at the
moment). In addition, it should have
a consumer id (or be able to obtain one).
So if this is the first call for this user, the gadget server requests a
requesttoken. Then somehow (popup, redirect, really an implementation
choice), the user is led to the "User Authentication URL". After
logging
in and giving
approval, the gadget server is notified, and requests an accesstoken.
It will then use the accesstoken to do the original request.
Obviously once an accesstoken had been obtained in some previous request
(possibly in a previous session), that one can be used directly.
You know I'm a big fan of oAuth and open standards, and I see the problem
that it's trying to solve, at the moment however it doesn't seem like the
place I want to start implementing Shindig in Hyves :). I'm wondering how
many gadgets will use this (initially at least). This also seems to be the
only part where Shindig needs any sort of persistent
storage (except the caching), and possibly shared storage (to be able to cancel
accestokens, I guess). I think that initially I'd be happy to have
only a minimal implementation
(I guess a very simple database/memcached would
do), and only start worrying about managing it if a lot of gadgets
start using it.
On 2/6/08, Brian Eaton <[EMAIL PROTECTED]> wrote:
>
> On Feb 5, 2008 3:42 PM, Reinoud Elhorst <[EMAIL PROTECTED]> wrote:
> > Would this be for gadgets authenticating towards their "home sites" (so
> a
> > gadget of lastfm wanting to show data the user previously entered on
> > lastfm), or connecting to third party API's (let's say a fictional Slide
> > gadget wanting to retrieve private photo's from Flickr)
>
> It depends how many different identity silos are involved. If a
> user's entire interaction with the 'home site' is through a single
> SNS, you don't really need OAuth. Signed fetch is enough for the home
> site to keep track of the user. If there are multiple SNS and you are
> trying to have all connect to the same account on the home site, full
> OAuth is useful. If the user has a separate login and password on the
> SNS vs the home site, full OAuth is useful.
>
> I haven't played with lastfm, but the Slide/Flickr use case sounds
> like OAuth to me.
>
> Cheers,
> Brian
>
