While we're on the topic of tightening up the spec... what's the state of this language?
"When OAuth is used for authorization on a single RPC the OAuth signature uses the URL Addressing representation of the request without the auth param to calculate the signature base string. When OAuth is used for authorization on a batch of RPCs the generation of the OAuth signature base string uses the same technique asURL Addressing to convert a sub-request into a list of query parameters with the addition of adding the method field into the query parameter list. Each parameter in the query string is prepended with the id of the sub-request for which it was generated and '.' . The conversion for Example 2.2 would look like: a9fd76.method=people.get&a9fd76.id=a9fd76&a9fd76.params.user...@me&e453a.method=people.get&e453a.id=e453a&e453a.params.user...@me&e453a.params.group...@friends" AFAICT that isn't implemented in Shindig, and it seems like the implementation would be a pain. Implementing a simple SHA1 hash of the raw request body would be easier. There is a rough OAuth spec for that. The roughness can be smoothed out without too much trouble: http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html Cheers, Brian On Fri, Feb 13, 2009 at 4:22 PM, Arne Roomann-Kurrik <kur...@google.com> wrote: > Working with the client libraries, I also wondered about these things. Are > these cases where the spec needs to be tightened up? > > ~Arne > > > > On Fri, Feb 13, 2009 at 4:05 PM, Taylor Singletary <tsinglet...@linkedin.com >> wrote: > >> Hi Everyone, >> >> I didn't get any bites on this. Am I just not making any sense? :) >> >> Thanks, >> Taylor >> >> >> On 2/4/09 8:32 AM , "Taylor Singletary" <tsinglet...@linkedin.com> wrote: >> >> > Hi Shindig-Dev, >> > >> > I am trying to determine how to enable OAuth support for the /social/rpc >> > endpoint. We¹ve already enabled OAuth support for the usual /social/rest >> > endpoint, but are interested in allowing batched calls using OAuth. >> > >> > What I¹m having trouble figuring out is: >> > 1) How to enable OAuth as a valid form of authentication for >> /social/rpc >> > 2) Tying the xoauth_requestor_id used in the OAuth call to all >> operations >> > in the batch >> > 3) And finally, supporting operation-specific OAuth tokens such that >> > Operation #1 would use token ³abcdefg² and Operation #2 would use token >> > ³bcdefgh², etc. -- and how to enable this without requiring >> > xoauth_requestor_id to be used as well. >> > >> > The RPC documentation suggests that this is possible: >> > ³OAuth is supported for authentication and authorization in addition to >> > other authorization schemes a container may choose to support. A single >> > OAuth token can be used for a batch of operations or each operation can >> > specify its own OAuth token.² >> > >> http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto >> > col.html >> > >> > If someone could please help point me in the right direction, it would be >> > much appreciated. >> > >> > Thanks, >> > Taylor Singletary >> >> > > > -- > OpenSocial IRC - irc://irc.freenode.net/opensocial >
