I have seen some documentation around how OAuth is used in the context of
gadgets requesting data but not really a full mapping of what each of the
pieces are in OAuth Terms.
It seemed to me that in most cases, the data APIs of OpenSocial/shinding are
the 'service provider' and the gadgets/container/data proxy are the 'consumer'.
What this seems to leave out in terms of OAuth is how the gadget securely
makes it's data request to the container so that the container can sign it.
What stops man-in-the-middle between gadget running on the client and server
that will proxy the request for data to the data APIs?
