Hello, So I'm working on getting OAuth working in our Shindig based gadget container and I'm having a problem when anonymous users visit dashboards where gadgets use OAuth. The problem seems to stem from the GadgetOAuthTokenStore.findSpec method. It tries to use the security token to figure out what the gadget spec URI, but since it's an anonymous user securityToken.getAppUrl() is an empty string.
I'm not sure what the right way to solve this is. One solution I think might work is to change the AnonymousAuthenticationHandler to check the HttpServletRequest for the "gadget" parameter and, if present, pass its value into the AnonymousSecurityToken to use as the app URL. But I'm not sure that this is the "correct" thing to do. Alternatively, for anonymous users, I can generate a SecurityToken, when rendering the dashboard and the gadget iframes, that only contains the app URL with blank values for everything else. Which solution do you all suggest? Is there a better one that I'm missing? Thanks, Rich
