You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by Nuwan Bandara <ba...@gmail.com> on 2010/02/18 07:57:30 UTC

Clarification on OAuth Gadgets

Hi,

I am in the process of testing OAuth Gadgets in shindig.  I managed to get
the sample OAuth gadget (google contacts gadget [1]) working in shindig. how
ever if I want to add a gadget which is hosted at
*http://foo.com/bar.xml* It seems I need to get a consumer key from google
(thinking that the same contact gadget hosted in foo.com) and add that to
the *conf/oauth.json*.

This is not practical if the shindig is hosted and open for users to host
gadgets in it. hence users cannot edit the* oauth.json* file to add the keys
and gadget urls. is there a solution for this situation ?


[1] http://dirk.balfanz.googlepages.com/contacts.xml<http://www.google.com/url?sa=D&q=http://dirk.balfanz.googlepages.com/contacts.xml&usg=AFQjCNGPvRi7sauro2w3OLkx9MXknHQy4A>

Thanks & Regards
-- 
/Nuwan

Re: Clarification on OAuth Gadgets

Posted by Nuwan Bandara <ba...@gmail.com>.

Hi Jesse,

Thanks for the comment and the clarification, hope one of the iGoogle folks
can add a comment to this thread about the implementation.

Thanks & Regards
/Nuwan

On Thu, Feb 18, 2010 at 10:42 PM, Ciancetta, Jesse E. <jc...@mitre.org>wrote:

> Hi Nuwan,
>
> I believe it is possible for a container to negotiate consumer keys and
> secrets on behalf of gadgets automatically, but it's not something we've
> looked into implementing in our container yet.  We've only got basic OAuth
> support working so far, which involved writing our own database backed
> OAuthStore implementation and providing UI in our container for gadgets
> developers to specify their consumer keys and secrets when adding gadgets to
> the repository.
>
> I did happen to notice the following relevant note in the class comments
> for the OAuthStore interface talking about what data an OAuthStore
> implementation needs to persist:
>
> "information about consumer keys and secrets that gadgets might have
> negotiated with OAuth service providers, or that containers might have
> negotiated on behalf of the gadgets"
>
> It sounds like the iGoogle container has in fact implemented auto
> negotiation of consumer keys and secrets for gadgets already.
>
> Maybe some of the folks who work on iGoogle could comment further about how
> to go about implementing such a feature -- although I suspect the answer may
> already be spelled out in the OAuth documentation (I haven't gone looking
> for it yet).
>
> --Jesse
>
> -----Original Message-----
> From: Nuwan Bandara [mailto:bandara.nuwan@gmail.com]
> Sent: Thursday, February 18, 2010 11:43 AM
> To: dev@shindig.apache.org
> Subject: Re: Clarification on OAuth Gadgets
>
> Hi jesse,
>
> Thanks for your suggestion. but am curious, hence iGoogle does not need any
> token from the gadget developer to use OAuth gadgets. Which means the
> gadget
> developer can add the *http://foo.com/bar.xml *without any consumer keys
> or
> tokens giving to igoogle container. how is this possible?
>
> Thanks & Regards
> /Nuwan
>
> On Thu, Feb 18, 2010 at 7:26 PM, Ciancetta, Jesse E. <jcian@mitre.org
> >wrote:
>
> > Hi Nuwan,
> >
> > The OAuthStore implementation that ships with Shindig
> > (org.apache.shindig.gadgets.oauth.BasicOAuthStore) uses a JSON based
> > configuration file for storing consumer keys and secrets and an in memory
> > map for storing access tokens (which get wiped out every time you restart
> > the servlet container).
> >
> > To use Shindig OAuth support in a production environment you'll need to
> > provide your own implementation of the
> > org.apache.shindig.gadgets.oauth.OAuthStore interface -- the
> BasicOAuthStore
> > serves as a good reference for exactly what your implementation will need
> to
> > do.
> >
> > You'll also need to provide a mechanism for your gadget developers to
> > register consumer keys and secrets for their gadgets.
> >
> > --Jesse
> >
> > -----Original Message-----
> > From: Nuwan Bandara [mailto:bandara.nuwan@gmail.com]
> > Sent: Thursday, February 18, 2010 1:58 AM
> > To: dev@shindig.apache.org
> > Subject: Clarification on OAuth Gadgets
> >
> > Hi,
> >
> > I am in the process of testing OAuth Gadgets in shindig.  I managed to
> get
> > the sample OAuth gadget (google contacts gadget [1]) working in shindig.
> > how
> > ever if I want to add a gadget which is hosted at
> > *http://foo.com/bar.xml* It seems I need to get a consumer key from
> google
> > (thinking that the same contact gadget hosted in foo.com) and add that
> to
> > the *conf/oauth.json*.
> >
> > This is not practical if the shindig is hosted and open for users to host
> > gadgets in it. hence users cannot edit the* oauth.json* file to add the
> > keys
> > and gadget urls. is there a solution for this situation ?
> >
> >
> > [1] http://dirk.balfanz.googlepages.com/contacts.xml<
> >
> http://www.google.com/url?sa=D&q=http://dirk.balfanz.googlepages.com/contacts.xml&usg=AFQjCNGPvRi7sauro2w3OLkx9MXknHQy4A
> > >
> >
> > Thanks & Regards
> > --
> > /Nuwan
> >
>
>
>
> --
> Nuwan Bandara
> - www.nuwanbando.com - Stranger Than Fiction
>
> [ http://www.linkedin.com/in/nuwanbandara ]
> [ http://www.twitter.com/nuwanbando ]
>



-- 
Nuwan Bandara
- www.nuwanbando.com - Stranger Than Fiction

[ http://www.linkedin.com/in/nuwanbandara ]
[ http://www.twitter.com/nuwanbando ]

RE: Clarification on OAuth Gadgets

Posted by "Ciancetta, Jesse E." <jc...@mitre.org>.

Hi Nuwan,

I believe it is possible for a container to negotiate consumer keys and secrets on behalf of gadgets automatically, but it's not something we've looked into implementing in our container yet.  We've only got basic OAuth support working so far, which involved writing our own database backed OAuthStore implementation and providing UI in our container for gadgets developers to specify their consumer keys and secrets when adding gadgets to the repository.

I did happen to notice the following relevant note in the class comments for the OAuthStore interface talking about what data an OAuthStore implementation needs to persist:

"information about consumer keys and secrets that gadgets might have negotiated with OAuth service providers, or that containers might have negotiated on behalf of the gadgets"

It sounds like the iGoogle container has in fact implemented auto negotiation of consumer keys and secrets for gadgets already.

Maybe some of the folks who work on iGoogle could comment further about how to go about implementing such a feature -- although I suspect the answer may already be spelled out in the OAuth documentation (I haven't gone looking for it yet).

--Jesse

-----Original Message-----
From: Nuwan Bandara [mailto:bandara.nuwan@gmail.com] 
Sent: Thursday, February 18, 2010 11:43 AM
To: dev@shindig.apache.org
Subject: Re: Clarification on OAuth Gadgets

Hi jesse,

Thanks for your suggestion. but am curious, hence iGoogle does not need any
token from the gadget developer to use OAuth gadgets. Which means the gadget
developer can add the *http://foo.com/bar.xml *without any consumer keys or
tokens giving to igoogle container. how is this possible?

Thanks & Regards
/Nuwan

On Thu, Feb 18, 2010 at 7:26 PM, Ciancetta, Jesse E. <jc...@mitre.org>wrote:

> Hi Nuwan,
>
> The OAuthStore implementation that ships with Shindig
> (org.apache.shindig.gadgets.oauth.BasicOAuthStore) uses a JSON based
> configuration file for storing consumer keys and secrets and an in memory
> map for storing access tokens (which get wiped out every time you restart
> the servlet container).
>
> To use Shindig OAuth support in a production environment you'll need to
> provide your own implementation of the
> org.apache.shindig.gadgets.oauth.OAuthStore interface -- the BasicOAuthStore
> serves as a good reference for exactly what your implementation will need to
> do.
>
> You'll also need to provide a mechanism for your gadget developers to
> register consumer keys and secrets for their gadgets.
>
> --Jesse
>
> -----Original Message-----
> From: Nuwan Bandara [mailto:bandara.nuwan@gmail.com]
> Sent: Thursday, February 18, 2010 1:58 AM
> To: dev@shindig.apache.org
> Subject: Clarification on OAuth Gadgets
>
> Hi,
>
> I am in the process of testing OAuth Gadgets in shindig.  I managed to get
> the sample OAuth gadget (google contacts gadget [1]) working in shindig.
> how
> ever if I want to add a gadget which is hosted at
> *http://foo.com/bar.xml* It seems I need to get a consumer key from google
> (thinking that the same contact gadget hosted in foo.com) and add that to
> the *conf/oauth.json*.
>
> This is not practical if the shindig is hosted and open for users to host
> gadgets in it. hence users cannot edit the* oauth.json* file to add the
> keys
> and gadget urls. is there a solution for this situation ?
>
>
> [1] http://dirk.balfanz.googlepages.com/contacts.xml<
> http://www.google.com/url?sa=D&q=http://dirk.balfanz.googlepages.com/contacts.xml&usg=AFQjCNGPvRi7sauro2w3OLkx9MXknHQy4A
> >
>
> Thanks & Regards
> --
> /Nuwan
>

-- 
Nuwan Bandara
- www.nuwanbando.com - Stranger Than Fiction

[ http://www.linkedin.com/in/nuwanbandara ]
[ http://www.twitter.com/nuwanbando ]

Re: Clarification on OAuth Gadgets

Posted by Nuwan Bandara <ba...@gmail.com>.

Hi jesse,

Thanks for your suggestion. but am curious, hence iGoogle does not need any
token from the gadget developer to use OAuth gadgets. Which means the gadget
developer can add the *http://foo.com/bar.xml *without any consumer keys or
tokens giving to igoogle container. how is this possible?

Thanks & Regards
/Nuwan

On Thu, Feb 18, 2010 at 7:26 PM, Ciancetta, Jesse E. <jc...@mitre.org>wrote:

> Hi Nuwan,
>
> The OAuthStore implementation that ships with Shindig
> (org.apache.shindig.gadgets.oauth.BasicOAuthStore) uses a JSON based
> configuration file for storing consumer keys and secrets and an in memory
> map for storing access tokens (which get wiped out every time you restart
> the servlet container).
>
> To use Shindig OAuth support in a production environment you'll need to
> provide your own implementation of the
> org.apache.shindig.gadgets.oauth.OAuthStore interface -- the BasicOAuthStore
> serves as a good reference for exactly what your implementation will need to
> do.
>
> You'll also need to provide a mechanism for your gadget developers to
> register consumer keys and secrets for their gadgets.
>
> --Jesse
>
> -----Original Message-----
> From: Nuwan Bandara [mailto:bandara.nuwan@gmail.com]
> Sent: Thursday, February 18, 2010 1:58 AM
> To: dev@shindig.apache.org
> Subject: Clarification on OAuth Gadgets
>
> Hi,
>
> I am in the process of testing OAuth Gadgets in shindig.  I managed to get
> the sample OAuth gadget (google contacts gadget [1]) working in shindig.
> how
> ever if I want to add a gadget which is hosted at
> *http://foo.com/bar.xml* It seems I need to get a consumer key from google
> (thinking that the same contact gadget hosted in foo.com) and add that to
> the *conf/oauth.json*.
>
> This is not practical if the shindig is hosted and open for users to host
> gadgets in it. hence users cannot edit the* oauth.json* file to add the
> keys
> and gadget urls. is there a solution for this situation ?
>
>
> [1] http://dirk.balfanz.googlepages.com/contacts.xml<
> http://www.google.com/url?sa=D&q=http://dirk.balfanz.googlepages.com/contacts.xml&usg=AFQjCNGPvRi7sauro2w3OLkx9MXknHQy4A
> >
>
> Thanks & Regards
> --
> /Nuwan
>



-- 
Nuwan Bandara
- www.nuwanbando.com - Stranger Than Fiction

[ http://www.linkedin.com/in/nuwanbandara ]
[ http://www.twitter.com/nuwanbando ]

RE: Clarification on OAuth Gadgets

Posted by "Ciancetta, Jesse E." <jc...@mitre.org>.

Hi Nuwan,

The OAuthStore implementation that ships with Shindig (org.apache.shindig.gadgets.oauth.BasicOAuthStore) uses a JSON based configuration file for storing consumer keys and secrets and an in memory map for storing access tokens (which get wiped out every time you restart the servlet container).

To use Shindig OAuth support in a production environment you'll need to provide your own implementation of the org.apache.shindig.gadgets.oauth.OAuthStore interface -- the BasicOAuthStore serves as a good reference for exactly what your implementation will need to do.

You'll also need to provide a mechanism for your gadget developers to register consumer keys and secrets for their gadgets.

--Jesse

-----Original Message-----
From: Nuwan Bandara [mailto:bandara.nuwan@gmail.com] 
Sent: Thursday, February 18, 2010 1:58 AM
To: dev@shindig.apache.org
Subject: Clarification on OAuth Gadgets

Hi,

I am in the process of testing OAuth Gadgets in shindig.  I managed to get
the sample OAuth gadget (google contacts gadget [1]) working in shindig. how
ever if I want to add a gadget which is hosted at
*http://foo.com/bar.xml* It seems I need to get a consumer key from google
(thinking that the same contact gadget hosted in foo.com) and add that to
the *conf/oauth.json*.

This is not practical if the shindig is hosted and open for users to host
gadgets in it. hence users cannot edit the* oauth.json* file to add the keys
and gadget urls. is there a solution for this situation ?


[1] http://dirk.balfanz.googlepages.com/contacts.xml<http://www.google.com/url?sa=D&q=http://dirk.balfanz.googlepages.com/contacts.xml&usg=AFQjCNGPvRi7sauro2w3OLkx9MXknHQy4A>

Thanks & Regards
-- 
/Nuwan