You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Brian Eaton (JIRA)" <ji...@apache.org> on 2008/06/15 00:09:45 UTC

[jira] Closed: (SHINDIG-338) OAuth consumer information should come from gadget spec, not from OAuth store

     [ https://issues.apache.org/jira/browse/SHINDIG-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Eaton closed SHINDIG-338.
-------------------------------

    Resolution: Fixed

Fixed in r667890.  Thanks Dirk!

> OAuth consumer information should come from gadget spec, not from OAuth store
> -----------------------------------------------------------------------------
>
>                 Key: SHINDIG-338
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-338
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Gadget Rendering Server (Java)
>            Reporter: Dirk Balfanz
>            Assignee: Brian Eaton
>         Attachments: leaner-token-store.txt, leaner-token-store2.txt, leaner-token-store3.txt
>
>
> Currently, the consumer information for OAuth (access URL, request URL, authorize URL, etc.) is read from the oauth.json file at startup and then put into the OAuth store. At runtime, the information is then read back out of the OAuth store (instead of getting it directly from the (cached) gadget spec). This has several disadvantages: 
> (1) If one of the gadgets in oauth.json is not accessible at startup time, shindig fails to start (we need to fetch the gadget spec to find out the consumer information)
> (2) A gadget that doesn't want to use its own consumer key and secret (but wants to use shindig's mechanism to use a default key and secret) must still be listed in the oauth.json file, even though conceptually there is no reason to do so.
> Attached is a patch that changes the OAuthStore interface and the semantics of one of the methods: Instead of expecting the oauth store to know the consumer information, and using that stored information to construct an OAuthAccessor (a datastructure used to sign OAuth requests), we now pass the consumer information into that method call. The OAuth store is simply expected to know the consumer key and secret. It will combine the public consumer information (passed into the method call) with the stored non-public information (consumer key and secret) to create the OAuthAccessor data structure. At runtime, we will obtain the public consumer information from the (cached) gadget spec. 
> The patch also contains changes that allow makeRequest to forward to the the proxy servlet whether or not the user requested bypassing of the spec cache. 
>   

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.