Hey Jesse, I can't go into to many java specifics (others might be able to expand on this), but:
On Fri, Oct 2, 2009 at 4:59 PM, Ciancetta, Jesse E. <[email protected]> wrote: > - Authorization: Ensuring that the user making the call (pulled from the > viewerId in the SecurityToken) is authorized to perform the requested action > is up to me as implementer of the SPI's using whatever rules make sense for > my social network site, right? > That's correct, OpenSocial (and shindig by extend) tries very hard not to make this decision for you, with some networks all data is readily available for everyone, others have very strict privacy controls in place, so using the information from the security token (module, owner, viewer) you can implement that in a way that fits your platform > - Server to Server calls: I've seen talk of server to server calls via the > REST and RPC protocols -- I'm trying to wrap my head around how > authorization would work in those cases. In the end those calls are going > to end up hitting my SPI implementations, and assuming I'm supposed to be > doing the authorization myself, what kind of values should I expect to pull > from the security token since there is no ownerId, viewerId, moduleId, > etc... Is this where the domain field in the SecurityToken would come into > play? > Authentication to the REST(/RPC) API happens through OAuth in this case, now there's 2 variants of OAuth that you can implement: - 2 legged OAuth (see http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi for details), in this case the oauth consumer key correlates to an application that pre-registered to get the oauth key & secret, so you can base the security assumptions on that (a popular way of doing that is "If the user you are requesting has that application installed, we'll give out the info, and otherwise you'll get a permission denied") - 3 legged OAuth, here a actual human had to grant access to the site to his/her data, so you have a user id associated with the session In PHP land you can check which type of token it is (security/2 legged/3 legged oauth) and if: - security token = has owner/viewer/app id - 2 legged = has app id, but getOwner/getViewer will throw an exception - 3 legged = has viewer id, but getAppId will throw an exception And if memory serves, Java works in much the same way
