You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by Laura Nathanson <la...@gmail.com> on 2009/07/16 23:45:08 UTC

most simple security token?

Hello again,

I'm trying to get an extremely bare implementation of Shindig (php) working
with our social networking site. My goal for now is to get a simple gadget
running: one that prints the gadget owner's name.

I implemented Person service (but no others yet), and I think I'm generating
the gadget iframe url mostly right. I have made an attempt to include an
encrypted token with the gadget url, following along the lines of how its
done in Partuza. I keep getting back 'invalid token' errors. Until I figure
out where I've gone wrong, I thought I'd just ask: What is the simplest
thing I can get away with to allow this gadget to retrieve data? Do I have
to worry OAuth protocol at this point or can that wait?

Laura

Re: most simple security token?

Posted by Chris Chabot <ch...@google.com>.

Hey Laura,

The simplest way of creating a security token is to go for the plain text
one (the owner:viewer:appid:etc type string).

However you should be able to just directly lift the security token
generating code from partuza and things should just-work. If that's not the
case chances are that the token cypher and hmac keys are not the same in
your shindig and container code, for shindig's config see
shindig/php/config/container.php:
  'token_cipher_key' => 'INSECURE_DEFAULT_KEY',
  'token_hmac_key' => 'INSECURE_DEFAULT_KEY',

OAuth isn't relevant in this situation, it's just the security token that's
used for the authentication by gadgets.

On Thu, Jul 16, 2009 at 11:45 PM, Laura Nathanson <laura.nathanson@gmail.com
> wrote:

> Hello again,
>
> I'm trying to get an extremely bare implementation of Shindig (php) working
> with our social networking site. My goal for now is to get a simple gadget
> running: one that prints the gadget owner's name.
>
> I implemented Person service (but no others yet), and I think I'm
> generating
> the gadget iframe url mostly right. I have made an attempt to include an
> encrypted token with the gadget url, following along the lines of how its
> done in Partuza. I keep getting back 'invalid token' errors. Until I figure
> out where I've gone wrong, I thought I'd just ask: What is the simplest
> thing I can get away with to allow this gadget to retrieve data? Do I have
> to worry OAuth protocol at this point or can that wait?
>
> Laura
>