You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Dennis Ju <de...@liferay.com> on 2011/10/09 19:57:39 UTC
Re: Allowing non-page owners to approve OAuth access token?
Anyone have thoughts on this? Would really appreciate the help.
Thanks,
Dennis
On Thu, Sep 29, 2011 at 5:37 PM, Dennis Ju <de...@liferay.com> wrote:
> Hello,
>
> I want to allow viewers to approve OAuth tokens for pages where they are
> not the owner. Basically, we have a requirement to allow users to view OAuth
> gadgets on a shared page.
>
> I set "shindig.signing.viewer-access-tokens-enabled=true" in
> shindig.properties "to allow the use of 3-legged OAuth tokens when viewer !=
> owner" (per the description).
>
> However, when the OAuth request is being made, I still get the error
> "Client state belongs to a different person ...".
> OAuthRequest.checkCanApprove() checks to see if the clientState owner is the
> same as the page viewer, so even if I make the above change in
> shindig.properties, I cannot approve access tokens.
>
> The description of checkCanApprove() says "At the moment we restrict this
> to page owner's viewing their own pages." How do I
> get shindig.signing.viewer-access-tokens-enabled=true to take effect? Or is
> this not supported yet?
>
> Thanks!
> Dennis
>
--
*Europe Symposium
*
October 18-19, 2011
Register today: www.liferay.com/Europe2011
*New!* Add Portal Admin Training
Express<http://www.regonline.com/builder/site/Default.aspx?EventID=997653>
---
*Spain Symposium
*October 26-27, 2011
Register today: www.liferay.com/Spain2011*
*
Re: Allowing non-page owners to approve OAuth access token?
Posted by Dennis Ju <de...@liferay.com>.
Okay- one more try to get feedback on this. Perhaps a more specific
question will help:
Even with "shindig.signing.viewer-access-tokens-enabled=true" in
shindig.properties, OAuthRequest.checkCanApprove() will throw an exception
when it does the check: "if (stateOwner != null && !stateOwner.equals(
pageViewer)) {"
The stateOwner is retrieved from OAuthClientState clientState when
retrieving the access token and OAuthRequest.buildClientAccessState() is
called, specifically: responseParams.getNewClientState().setOwner(
realRequest.getSecurityToken().getOwnerId());. Since clientState is set to
the owner of the securityToken, checkCanApprove will always throw an
exception if viewer != owner.
That being said, my questions are:
1) does the current implementation intentionally not support
"shindig.signing.viewer-access-tokens-enabled=true"?
2) If so, what are the potential dangers if I remove the check in
OAuthRequest.checkCanApprove: "if (stateOwner != null && !stateOwner.equals(
pageViewer)) {"
TIA for any light on the matter,
Dennis
On Sun, Oct 9, 2011 at 10:57 AM, Dennis Ju <de...@liferay.com> wrote:
> Anyone have thoughts on this? Would really appreciate the help.
>
> Thanks,
> Dennis
>
>
> On Thu, Sep 29, 2011 at 5:37 PM, Dennis Ju <de...@liferay.com> wrote:
>
>> Hello,
>>
>> I want to allow viewers to approve OAuth tokens for pages where they are
>> not the owner. Basically, we have a requirement to allow users to view
>> OAuth gadgets on a shared page.
>>
>> I set "shindig.signing.viewer-access-tokens-enabled=true" in
>> shindig.properties "to allow the use of 3-legged OAuth tokens when viewer
>> != owner" (per the description).
>>
>> However, when the OAuth request is being made, I still get the error
>> "Client state belongs to a different person ...".
>> OAuthRequest.checkCanApprove() checks to see if the clientState owner is
>> the same as the page viewer, so even if I make the above change in
>> shindig.properties, I cannot approve access tokens.
>>
>> The description of checkCanApprove() says "At the moment we restrict this
>> to page owner's viewing their own pages." How do I
>> get shindig.signing.viewer-access-tokens-enabled=true to take effect? Or is
>> this not supported yet?
>>
>> Thanks!
>> Dennis
>>
>
>
>
> --
>
> *Europe Symposium
> *
> October 18-19, 2011
> Register today: www.liferay.com/Europe2011
> *New!* Add Portal Admin Training Express<http://www.regonline.com/builder/site/Default.aspx?EventID=997653>
> ---
> *Spain Symposium
> *October 26-27, 2011
> Register today: www.liferay.com/Spain2011*
>
> *
>
--
*Italy Symposium*
18 November 2011
Register today: www.liferay.com/Italy2011