You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Anthony Lai <an...@oracle.com> on 2008/08/26 02:43:39 UTC
Restful API -- identify which application using calling the API?
Hi,
I am currently implementing shindig, and we provide data differently
to different types of apps (trusted, untrusted), so trusted apps would
get more privacy data. For the restful API, is there a way to figure
out which app is requesting the data?
Thanks.
Sincerely,
Anthony
Re: Restful API -- identify which application using calling the API?
Posted by Ram Sharma <ra...@gmail.com>.
Hi Weijie,
umm... I am just a contributor on shindig php so don't know about the plans
in detail :) I think Chris has created an issue for implementing the same
and probably he is working on that also. Hope that will be completed soon.
Chris would you like to say something?
On Mon, Sep 1, 2008 at 2:10 PM, Weijie Qu <qu...@gmail.com> wrote:
> Thanks for your quick response!
>
> If my site is providing the data and data API is exposed as RESTful
> interfaces(I am using php shindig). Just you mentioned above, the GET
> method
> of RESTful interfaces is anonymous access now. So would you pls kindly let
> me know what's the plan of OAuth for Restful API in shindig? Thanks!
>
> 2008/9/1 Ram Sharma <ra...@gmail.com>
>
> > Hi Weijie,
> >
> > I think, the open social site from which you are planning to fetch data,
> > should support the auth calls that means that site has to be OAuth
> Service
> > Provider and It that site is OAuth SP than it should also provide some
> > documentation about its oauth services.
> >
> > If all of the above are in place than you can easily make oauth gadget to
> > call the data from that site.
> >
> >
> > Please Note: The site on which you are going to post gadget should also
> > support auth calls from gadgets.
> >
> > Chris, Please put your feedbacks too :)
> >
> > On Sun, Aug 31, 2008 at 7:45 PM, Weijie Qu <qu...@gmail.com> wrote:
> >
> > > Hi Chris & Ram,
> > >
> > > If don't not use direct url call such as
> > > http://localhost:8012/social/rest/people/10050/@self, is there any
> other
> > > Restful way which is supported by OAuth?
> > >
> > > I want to post a gadget on an opensocial enabled site to fetch data
> from
> > > another opensocial enabled site, both using shindig. Any suggestions on
> > how
> > > to achieve this?
> > >
> > > 2008/8/28 Chris Chabot <ch...@xs4all.nl>
> > >
> > > > On Aug 28, 2008, at 7:14 AM, Ram Sharma wrote:
> > > >
> > > > Restful API are not fully implemented for direct url call as that
> will
> > > >> need
> > > >> OAuth support. In that case OAuth token will be passed to identify
> > > >> application's authenticity. Right now no authentication is done in
> > > direct
> > > >> url calls like :
> > > >> http://localhost:8012/social/rest/people/10050/@self
> > > >> Which are known as anonyms calls and allowed till the OAuth support
> is
> > > >> implemented. but when you run any container for example sample
> > container
> > > >> it sends the
> > > >> security token to the server.
> > > >>
> > > >> Chris please correct me if I am wrong.
> > > >>
> > > >
> > > > Your absolutely 100% correct.
> > > >
> > > > What i did to test some of the RESTful calls as non anonymous owner,
> is
> > > set
> > > > allow_plaintext_token to true and construct my own owner:viewer:etc
> > type
> > > > token, or taking a valid encrypted security token from an iframe
> > > (st=<lots
> > > > of text>), that way you can debug and play with all the functionality
> > > > without having to wait for oauth to be completed.
> > > >
> > > > -- Chris
> > > >
> > >
> >
> >
> >
> > --
> > Ram Sharma
> > Software Engineer
> > Impetus Infotech (India) Pvt Ltd
> > Indore
> >
>
--
Ram Sharma
Software Engineer
Impetus Infotech (India) Pvt Ltd
Indore
Re: Restful API -- identify which application using calling the API?
Posted by Weijie Qu <qu...@gmail.com>.
Thanks for your quick response!
If my site is providing the data and data API is exposed as RESTful
interfaces(I am using php shindig). Just you mentioned above, the GET method
of RESTful interfaces is anonymous access now. So would you pls kindly let
me know what's the plan of OAuth for Restful API in shindig? Thanks!
2008/9/1 Ram Sharma <ra...@gmail.com>
> Hi Weijie,
>
> I think, the open social site from which you are planning to fetch data,
> should support the auth calls that means that site has to be OAuth Service
> Provider and It that site is OAuth SP than it should also provide some
> documentation about its oauth services.
>
> If all of the above are in place than you can easily make oauth gadget to
> call the data from that site.
>
>
> Please Note: The site on which you are going to post gadget should also
> support auth calls from gadgets.
>
> Chris, Please put your feedbacks too :)
>
> On Sun, Aug 31, 2008 at 7:45 PM, Weijie Qu <qu...@gmail.com> wrote:
>
> > Hi Chris & Ram,
> >
> > If don't not use direct url call such as
> > http://localhost:8012/social/rest/people/10050/@self, is there any other
> > Restful way which is supported by OAuth?
> >
> > I want to post a gadget on an opensocial enabled site to fetch data from
> > another opensocial enabled site, both using shindig. Any suggestions on
> how
> > to achieve this?
> >
> > 2008/8/28 Chris Chabot <ch...@xs4all.nl>
> >
> > > On Aug 28, 2008, at 7:14 AM, Ram Sharma wrote:
> > >
> > > Restful API are not fully implemented for direct url call as that will
> > >> need
> > >> OAuth support. In that case OAuth token will be passed to identify
> > >> application's authenticity. Right now no authentication is done in
> > direct
> > >> url calls like :
> > >> http://localhost:8012/social/rest/people/10050/@self
> > >> Which are known as anonyms calls and allowed till the OAuth support is
> > >> implemented. but when you run any container for example sample
> container
> > >> it sends the
> > >> security token to the server.
> > >>
> > >> Chris please correct me if I am wrong.
> > >>
> > >
> > > Your absolutely 100% correct.
> > >
> > > What i did to test some of the RESTful calls as non anonymous owner, is
> > set
> > > allow_plaintext_token to true and construct my own owner:viewer:etc
> type
> > > token, or taking a valid encrypted security token from an iframe
> > (st=<lots
> > > of text>), that way you can debug and play with all the functionality
> > > without having to wait for oauth to be completed.
> > >
> > > -- Chris
> > >
> >
>
>
>
> --
> Ram Sharma
> Software Engineer
> Impetus Infotech (India) Pvt Ltd
> Indore
>
Re: Restful API -- identify which application using calling the API?
Posted by Ram Sharma <ra...@gmail.com>.
Hi Weijie,
I think, the open social site from which you are planning to fetch data,
should support the auth calls that means that site has to be OAuth Service
Provider and It that site is OAuth SP than it should also provide some
documentation about its oauth services.
If all of the above are in place than you can easily make oauth gadget to
call the data from that site.
Please Note: The site on which you are going to post gadget should also
support auth calls from gadgets.
Chris, Please put your feedbacks too :)
On Sun, Aug 31, 2008 at 7:45 PM, Weijie Qu <qu...@gmail.com> wrote:
> Hi Chris & Ram,
>
> If don't not use direct url call such as
> http://localhost:8012/social/rest/people/10050/@self, is there any other
> Restful way which is supported by OAuth?
>
> I want to post a gadget on an opensocial enabled site to fetch data from
> another opensocial enabled site, both using shindig. Any suggestions on how
> to achieve this?
>
> 2008/8/28 Chris Chabot <ch...@xs4all.nl>
>
> > On Aug 28, 2008, at 7:14 AM, Ram Sharma wrote:
> >
> > Restful API are not fully implemented for direct url call as that will
> >> need
> >> OAuth support. In that case OAuth token will be passed to identify
> >> application's authenticity. Right now no authentication is done in
> direct
> >> url calls like :
> >> http://localhost:8012/social/rest/people/10050/@self
> >> Which are known as anonyms calls and allowed till the OAuth support is
> >> implemented. but when you run any container for example sample container
> >> it sends the
> >> security token to the server.
> >>
> >> Chris please correct me if I am wrong.
> >>
> >
> > Your absolutely 100% correct.
> >
> > What i did to test some of the RESTful calls as non anonymous owner, is
> set
> > allow_plaintext_token to true and construct my own owner:viewer:etc type
> > token, or taking a valid encrypted security token from an iframe
> (st=<lots
> > of text>), that way you can debug and play with all the functionality
> > without having to wait for oauth to be completed.
> >
> > -- Chris
> >
>
--
Ram Sharma
Software Engineer
Impetus Infotech (India) Pvt Ltd
Indore
Re: Restful API -- identify which application using calling the API?
Posted by Weijie Qu <qu...@gmail.com>.
Hi Chris & Ram,
If don't not use direct url call such as
http://localhost:8012/social/rest/people/10050/@self, is there any other
Restful way which is supported by OAuth?
I want to post a gadget on an opensocial enabled site to fetch data from
another opensocial enabled site, both using shindig. Any suggestions on how
to achieve this?
2008/8/28 Chris Chabot <ch...@xs4all.nl>
> On Aug 28, 2008, at 7:14 AM, Ram Sharma wrote:
>
> Restful API are not fully implemented for direct url call as that will
>> need
>> OAuth support. In that case OAuth token will be passed to identify
>> application's authenticity. Right now no authentication is done in direct
>> url calls like :
>> http://localhost:8012/social/rest/people/10050/@self
>> Which are known as anonyms calls and allowed till the OAuth support is
>> implemented. but when you run any container for example sample container
>> it sends the
>> security token to the server.
>>
>> Chris please correct me if I am wrong.
>>
>
> Your absolutely 100% correct.
>
> What i did to test some of the RESTful calls as non anonymous owner, is set
> allow_plaintext_token to true and construct my own owner:viewer:etc type
> token, or taking a valid encrypted security token from an iframe (st=<lots
> of text>), that way you can debug and play with all the functionality
> without having to wait for oauth to be completed.
>
> -- Chris
>
Re: Restful API -- identify which application using calling the API?
Posted by Ram Sharma <ra...@gmail.com>.
Hi Anthony,
I n OAuth request application which is trying to fetch data is actually get
authenticated and that application gets an OAuth token. This token is used
by the application for fetching the data from the Restful API. When
application makes request for data with the access token than service
provider varifies tha token for its validity and accuracy. In shindig OAuth
token will be somewhat like secutiry token which will consist of userId,
applicationId and someother information also.
Chris please correct if i am wrong :)
On Wed, Sep 3, 2008 at 12:26 AM, Anthony Lai <an...@oracle.com>wrote:
> Hi,
>
> I thought OAuth authenticates the user only. How can we tell which app is
> calling the Restful API? Will there be support for that?
>
> Thanks.
> Sincerely,
> Anthony
>
>
>
> Chris Chabot wrote:
>
>> On Aug 28, 2008, at 7:14 AM, Ram Sharma wrote:
>>
>> Restful API are not fully implemented for direct url call as that will
>>> need
>>> OAuth support. In that case OAuth token will be passed to identify
>>> application's authenticity. Right now no authentication is done in direct
>>> url calls like :
>>> http://localhost:8012/social/rest/people/10050/@self
>>> Which are known as anonyms calls and allowed till the OAuth support is
>>> implemented. but when you run any container for example sample container
>>> it sends the
>>> security token to the server.
>>>
>>> Chris please correct me if I am wrong.
>>>
>>
>> Your absolutely 100% correct.
>>
>> What i did to test some of the RESTful calls as non anonymous owner, is
>> set allow_plaintext_token to true and construct my own owner:viewer:etc type
>> token, or taking a valid encrypted security token from an iframe (st=<lots
>> of text>), that way you can debug and play with all the functionality
>> without having to wait for oauth to be completed.
>>
>> -- Chris
>>
>>
>
--
Ram Sharma
Software Engineer
Impetus Infotech (India) Pvt Ltd
Indore
Re: Restful API -- identify which application using calling the API?
Posted by Anthony Lai <an...@oracle.com>.
Hi,
I thought OAuth authenticates the user only. How can we tell which
app is calling the Restful API? Will there be support for that?
Thanks.
Sincerely,
Anthony
Chris Chabot wrote:
> On Aug 28, 2008, at 7:14 AM, Ram Sharma wrote:
>
>> Restful API are not fully implemented for direct url call as that
>> will need
>> OAuth support. In that case OAuth token will be passed to identify
>> application's authenticity. Right now no authentication is done in
>> direct
>> url calls like :
>> http://localhost:8012/social/rest/people/10050/@self
>> Which are known as anonyms calls and allowed till the OAuth support is
>> implemented. but when you run any container for example sample
>> container it sends the
>> security token to the server.
>>
>> Chris please correct me if I am wrong.
>
> Your absolutely 100% correct.
>
> What i did to test some of the RESTful calls as non anonymous owner,
> is set allow_plaintext_token to true and construct my own
> owner:viewer:etc type token, or taking a valid encrypted security
> token from an iframe (st=<lots of text>), that way you can debug and
> play with all the functionality without having to wait for oauth to be
> completed.
>
> -- Chris
>
Re: Restful API -- identify which application using calling the API?
Posted by Chris Chabot <ch...@xs4all.nl>.
On Aug 28, 2008, at 7:14 AM, Ram Sharma wrote:
> Restful API are not fully implemented for direct url call as that
> will need
> OAuth support. In that case OAuth token will be passed to identify
> application's authenticity. Right now no authentication is done in
> direct
> url calls like :
> http://localhost:8012/social/rest/people/10050/@self
> Which are known as anonyms calls and allowed till the OAuth support is
> implemented. but when you run any container for example sample
> container it sends the
> security token to the server.
>
> Chris please correct me if I am wrong.
Your absolutely 100% correct.
What i did to test some of the RESTful calls as non anonymous owner,
is set allow_plaintext_token to true and construct my own
owner:viewer:etc type token, or taking a valid encrypted security
token from an iframe (st=<lots of text>), that way you can debug and
play with all the functionality without having to wait for oauth to be
completed.
-- Chris
Re: Restful API -- identify which application using calling the API?
Posted by Ram Sharma <ra...@gmail.com>.
Hi Anthony,
Restful API are not fully implemented for direct url call as that will need
OAuth support. In that case OAuth token will be passed to identify
application's authenticity. Right now no authentication is done in direct
url calls like :
http://localhost:8012/social/rest/people/10050/@self
Which are known as anonyms calls and allowed till the OAuth support is
implemented.
but when you run any container for example sample container it sends the
security token to the server.
Chris please correct me if I am wrong.
On Thu, Aug 28, 2008 at 6:38 AM, Anthony Lai <an...@oracle.com>wrote:
> Hi Ram,
>
> But for the restful api, as least when I am using it right now in my
> shindig build, I do not need to pass any tokens, and data can be returned.
> For example, when I put:
>
> http://localhost:8012/social/rest/people/10050/@self
>
> It returns the person with id 10050. How are tokens being passed to
> Shindig for restful apis?
>
> Thanks.
> Sincerely,
> Anthony
>
>
> Ram Sharma wrote:
>
>> Hi Anthony,
>>
>> When ever you make a call to Shindig you have to pass a Security token(or
>> OAuth token). That token contains the appId and may be the URL of the
>> gadget
>> also. So, I think that way you can Identify which application/gadget is
>> making the request.
>>
>> hope that helps.
>>
>> Anybody feels I am wrong please correct me.
>>
>>
>>
>>
>> On Tue, Aug 26, 2008 at 6:13 AM, Anthony Lai <anthony.s.lai@oracle.com
>> >wrote:
>>
>>
>>
>>> Hi,
>>>
>>> I am currently implementing shindig, and we provide data differently to
>>> different types of apps (trusted, untrusted), so trusted apps would get
>>> more
>>> privacy data. For the restful API, is there a way to figure out which
>>> app
>>> is requesting the data?
>>>
>>> Thanks.
>>> Sincerely,
>>> Anthony
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
--
Ram Sharma
Software Engineer
Impetus Infotech (India) Pvt Ltd
Indore
Re: Restful API -- identify which application using calling the API?
Posted by Anthony Lai <an...@oracle.com>.
Hi Ram,
But for the restful api, as least when I am using it right now in my
shindig build, I do not need to pass any tokens, and data can be
returned. For example, when I put:
http://localhost:8012/social/rest/people/10050/@self
It returns the person with id 10050. How are tokens being passed to
Shindig for restful apis?
Thanks.
Sincerely,
Anthony
Ram Sharma wrote:
> Hi Anthony,
>
> When ever you make a call to Shindig you have to pass a Security token(or
> OAuth token). That token contains the appId and may be the URL of the gadget
> also. So, I think that way you can Identify which application/gadget is
> making the request.
>
> hope that helps.
>
> Anybody feels I am wrong please correct me.
>
>
>
>
> On Tue, Aug 26, 2008 at 6:13 AM, Anthony Lai <an...@oracle.com>wrote:
>
>
>> Hi,
>>
>> I am currently implementing shindig, and we provide data differently to
>> different types of apps (trusted, untrusted), so trusted apps would get more
>> privacy data. For the restful API, is there a way to figure out which app
>> is requesting the data?
>>
>> Thanks.
>> Sincerely,
>> Anthony
>>
>>
>
>
>
>
Re: Restful API -- identify which application using calling the API?
Posted by Ram Sharma <ra...@gmail.com>.
Hi Anthony,
When ever you make a call to Shindig you have to pass a Security token(or
OAuth token). That token contains the appId and may be the URL of the gadget
also. So, I think that way you can Identify which application/gadget is
making the request.
hope that helps.
Anybody feels I am wrong please correct me.
On Tue, Aug 26, 2008 at 6:13 AM, Anthony Lai <an...@oracle.com>wrote:
> Hi,
>
> I am currently implementing shindig, and we provide data differently to
> different types of apps (trusted, untrusted), so trusted apps would get more
> privacy data. For the restful API, is there a way to figure out which app
> is requesting the data?
>
> Thanks.
> Sincerely,
> Anthony
>
--
Ram Sharma
Software Engineer
Impetus Infotech (India) Pvt Ltd
Indore