Hey Alex, The reason this might seem lacking in Shindig is because most of the heavy lifting of OAuth has to be done by the containing website, and not by shindig. Shindig does provide some hooks to make this easier, but the XRDS document, the URL's and how the tokens are generated & tested is a container affair.
The Java and PHP versions of shindig are a bit different in how they solved it, I happen to know about the PHP one, so I'll address that (Cassie Doll & Paul Lindner are probably the ones to ask for how to do this in the java version). To implement OAuth support for the REST/RPC end points you need to create a OAuthLookupService (extending shindig's OAuthLookupService class) and tell shindig to use this class by editing the configuration (shindig/php/config/container.php), the example in Partuza (demo open social site written in php) supports both 2 and 3 legged OAuth tokens: http://code.google.com/p/partuza/source/browse/trunk/Shindig/PartuzaOAuthLookupService.php Then you also need to create a custom OAuthDataStore class (extending the oauth library's OAuthDataStore class), in which you do the actual token work, the example from partuza can be found at: http://code.google.com/p/partuza/source/browse/trunk/Shindig/PartuzaOAuthDataStore.php If you want to test this with a client script in PHP, it might be worth checking out : http://code.google.com/p/opensocial-php-client/ which supports the full REST&RPC protocols, XRDS and OAuth (2 and 3 legged) and makes testing the REST/RPC endpoints and XRDS & OAuth a lot easier :) Hope that helps! -- Chris On Fri, Mar 6, 2009 at 2:13 AM, Alex Benjamen <[email protected]>wrote: > > > > Hi, > > > > I've been using shindig for the last week to implement Opensocial RESTful > API's. That > > was mostly a breeze due to nice provided samples - I got most of what I > needed done > > within 3-4 days... so thank you all who worked on the project, this allowed > me to build > > OpenSocial compliant WS without much effort! > > > > Not to rain on the parade, but the OAuth part of shindig could use a little > more documentation. > > (Or maybe I could not find the right documentation). I'm very familiar with > the OAuth conceipt > > and understand how it works, but I'm having some trouble figuring out some > of the protocol > > basics - basically I want to be able to write a simple php script which > will : fetch a request token > > (let's assume that the consumer key/secret is already assigned and > available via the OAuth Data > > store) then exchange the request token for an access token, and make a > signed request with > > the token. So here's some questions > > > 1. How does the consumer fetch the request token - what is the URL within > the shindig server > > that needs to be called and with what arguments? Same question for > exchanging the request token > > for access token. > > > > 2. What is the most popular signature method? Can I assume > OAuthSignatureMethod_HMAC_SHA1 > > would be enough or would I need to implement the > OAuthSignatureMethod_RSA_SHA1 as well.. > > > > 3. Is there a step by step guide anywhere which describes the steps needed > to enable the OAuth on > > shindig? (I did read through the Partuza implementation, have some idea > about PartuzaOAuthLookupService) > > > > 4. Is there a spec on how the consumer should sign requests? What about > post data, is that considered > > in the signature too... > > > > I appologize in advance if these questions were asked before - I started > reading the archives but there's > > just too much unrelated things - I think it would be good to have a mailing > list just for the OAuth related > > questions > > > > Thanks! > > -Alex >
