Hi, I'm working on persistent implementations for the OpenSocial SPI's in Java Shindig and had a couple of questions:
- Authorization: Ensuring that the user making the call (pulled from the viewerId in the SecurityToken) is authorized to perform the requested action is up to me as implementer of the SPI's using whatever rules make sense for my social network site, right? - Server to Server calls: I've seen talk of server to server calls via the REST and RPC protocols -- I'm trying to wrap my head around how authorization would work in those cases. In the end those calls are going to end up hitting my SPI implementations, and assuming I'm supposed to be doing the authorization myself, what kind of values should I expect to pull from the security token since there is no ownerId, viewerId, moduleId, etc... Is this where the domain field in the SecurityToken would come into play? Thanks! --Jesse
