You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Taylor Singletary <ts...@linkedin.com> on 2009/02/04 17:32:33 UTC
Enabling OAuth support for /social/rpc endpoints
Hi Shindig-Dev,
I am trying to determine how to enable OAuth support for the /social/rpc
endpoint. We¹ve already enabled OAuth support for the usual /social/rest
endpoint, but are interested in allowing batched calls using OAuth.
What I¹m having trouble figuring out is:
1) How to enable OAuth as a valid form of authentication for /social/rpc
2) Tying the xoauth_requestor_id used in the OAuth call to all operations
in the batch
3) And finally, supporting operation-specific OAuth tokens such that
Operation #1 would use token ³abcdefg² and Operation #2 would use token
³bcdefgh², etc. -- and how to enable this without requiring
xoauth_requestor_id to be used as well.
The RPC documentation suggests that this is possible:
³OAuth is supported for authentication and authorization in addition to
other authorization schemes a container may choose to support. A single
OAuth token can be used for a batch of operations or each operation can
specify its own OAuth token.²
http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto
col.html
If someone could please help point me in the right direction, it would be
much appreciated.
Thanks,
Taylor Singletary
Re: Enabling OAuth support for /social/rpc endpoints
Posted by Taylor Singletary <ts...@linkedin.com>.
Thanks for the reply all.
The use case for per-token would be batch posting to activity streams
for multiple users in a paginated manner, likely as a cron job.
Posting to the activity stream one by one when you have potentially
thousands to deliver for a user base requires many http requests.
There are others, like bulk updating server side caches as nightly
processes with social data requests.
Taylor
On Feb 13, 2009, at 5:05 PM, "Chris Chabot" <ch...@google.com> wrote:
> Right now the assumption is that with a RPC request, the request
> body is
> also part of the signature; This guarantee's that the request hasn't
> been
> tampered with and works quit well in most cases, where the requestor
> is
> always the same person and working in the same context in the batch.
>
> Now the spec does indeed say that it should be possible to have an
> oauth
> token per request entry in the batch, however as far as I'm aware
> there's no
> real life implementations of this; However if I remember correctly,
> Brian
> Eaten was involved in thinking that up, and if not he or Louis (the
> father
> of the RPC spec :) might be able to point us to the right person who
> knows
> more about the intention behind this; And if the xoauth_requestor_id
> situation has been thought of in the 2 legged oauth / json-rpc / oauth
> record per request situation.
>
> There hasn't been any real demand for it yet, do you have a specific
> use-case in mind for this btw? At the moment all possible
> applications I've
> seen were fine under the assumption that the batch is all within the
> same
> context.
>
> -- Chris
>
> On Wed, Feb 4, 2009 at 5:32 PM, Taylor Singletary
> <ts...@linkedin.com>wrote:
>
>> Hi Shindig-Dev,
>>
>> I am trying to determine how to enable OAuth support for the /
>> social/rpc
>> endpoint. We¹ve already enabled OAuth support for the usual /socia
>> l/rest
>> endpoint, but are interested in allowing batched calls using OAuth.
>>
>> What I¹m having trouble figuring out is:
>> 1) How to enable OAuth as a valid form of authentication for /
>> social/rpc
>> 2) Tying the xoauth_requestor_id used in the OAuth call to all
>> operations
>> in the batch
>> 3) And finally, supporting operation-specific OAuth tokens such that
>> Operation #1 would use token ³abcdefg² and Operation #2 would use
>> token
>> ³bcdefgh², etc. -- and how to enable this without requiring
>> xoauth_requestor_id to be used as well.
>>
>> The RPC documentation suggests that this is possible:
>> ³OAuth is supported for authentication and authorization in additi
>> on to
>> other authorization schemes a container may choose to support. A
>> single
>> OAuth token can be used for a batch of operations or each operation
>> can
>> specify its own OAuth token.²
>>
>> http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto
>> col.html<http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto%0Acol.html
>> >
>>
>> If someone could please help point me in the right direction, it
>> would be
>> much appreciated.
>>
>> Thanks,
>> Taylor Singletary
>>
Re: Enabling OAuth support for /social/rpc endpoints
Posted by Chris Chabot <ch...@google.com>.
Right now the assumption is that with a RPC request, the request body is
also part of the signature; This guarantee's that the request hasn't been
tampered with and works quit well in most cases, where the requestor is
always the same person and working in the same context in the batch.
Now the spec does indeed say that it should be possible to have an oauth
token per request entry in the batch, however as far as I'm aware there's no
real life implementations of this; However if I remember correctly, Brian
Eaten was involved in thinking that up, and if not he or Louis (the father
of the RPC spec :) might be able to point us to the right person who knows
more about the intention behind this; And if the xoauth_requestor_id
situation has been thought of in the 2 legged oauth / json-rpc / oauth
record per request situation.
There hasn't been any real demand for it yet, do you have a specific
use-case in mind for this btw? At the moment all possible applications I've
seen were fine under the assumption that the batch is all within the same
context.
-- Chris
On Wed, Feb 4, 2009 at 5:32 PM, Taylor Singletary
<ts...@linkedin.com>wrote:
> Hi Shindig-Dev,
>
> I am trying to determine how to enable OAuth support for the /social/rpc
> endpoint. We¹ve already enabled OAuth support for the usual /social/rest
> endpoint, but are interested in allowing batched calls using OAuth.
>
> What I¹m having trouble figuring out is:
> 1) How to enable OAuth as a valid form of authentication for /social/rpc
> 2) Tying the xoauth_requestor_id used in the OAuth call to all operations
> in the batch
> 3) And finally, supporting operation-specific OAuth tokens such that
> Operation #1 would use token ³abcdefg² and Operation #2 would use token
> ³bcdefgh², etc. -- and how to enable this without requiring
> xoauth_requestor_id to be used as well.
>
> The RPC documentation suggests that this is possible:
> ³OAuth is supported for authentication and authorization in addition to
> other authorization schemes a container may choose to support. A single
> OAuth token can be used for a batch of operations or each operation can
> specify its own OAuth token.²
>
> http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto
> col.html<http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto%0Acol.html>
>
> If someone could please help point me in the right direction, it would be
> much appreciated.
>
> Thanks,
> Taylor Singletary
>
Re: Enabling OAuth support for /social/rpc endpoints
Posted by Brian Eaton <be...@google.com>.
While we're on the topic of tightening up the spec... what's the state
of this language?
"When OAuth is used for authorization on a single RPC the OAuth
signature uses the URL Addressing representation of the request
without the auth param to calculate the signature base string.
When OAuth is used for authorization on a batch of RPCs the generation
of the OAuth signature base string uses the same technique asURL
Addressing to convert a sub-request into a list of query parameters
with the addition of adding the method field into the query parameter
list. Each parameter in the query string is prepended with the id of
the sub-request for which it was generated and '.' . The conversion
for Example 2.2 would look like:
a9fd76.method=people.get&a9fd76.id=a9fd76&a9fd76.params.userId=@me&e453a.method=people.get&e453a.id=e453a&e453a.params.userId=@me&e453a.params.groupId=@friends"
AFAICT that isn't implemented in Shindig, and it seems like the
implementation would be a pain.
Implementing a simple SHA1 hash of the raw request body would be
easier. There is a rough OAuth spec for that. The roughness can be
smoothed out without too much trouble:
http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html
Cheers,
Brian
On Fri, Feb 13, 2009 at 4:22 PM, Arne Roomann-Kurrik <ku...@google.com> wrote:
> Working with the client libraries, I also wondered about these things. Are
> these cases where the spec needs to be tightened up?
>
> ~Arne
>
>
>
> On Fri, Feb 13, 2009 at 4:05 PM, Taylor Singletary <tsingletary@linkedin.com
>> wrote:
>
>> Hi Everyone,
>>
>> I didn't get any bites on this. Am I just not making any sense? :)
>>
>> Thanks,
>> Taylor
>>
>>
>> On 2/4/09 8:32 AM , "Taylor Singletary" <ts...@linkedin.com> wrote:
>>
>> > Hi Shindig-Dev,
>> >
>> > I am trying to determine how to enable OAuth support for the /social/rpc
>> > endpoint. We¹ve already enabled OAuth support for the usual /social/rest
>> > endpoint, but are interested in allowing batched calls using OAuth.
>> >
>> > What I¹m having trouble figuring out is:
>> > 1) How to enable OAuth as a valid form of authentication for
>> /social/rpc
>> > 2) Tying the xoauth_requestor_id used in the OAuth call to all
>> operations
>> > in the batch
>> > 3) And finally, supporting operation-specific OAuth tokens such that
>> > Operation #1 would use token ³abcdefg² and Operation #2 would use token
>> > ³bcdefgh², etc. -- and how to enable this without requiring
>> > xoauth_requestor_id to be used as well.
>> >
>> > The RPC documentation suggests that this is possible:
>> > ³OAuth is supported for authentication and authorization in addition to
>> > other authorization schemes a container may choose to support. A single
>> > OAuth token can be used for a batch of operations or each operation can
>> > specify its own OAuth token.²
>> >
>> http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto
>> > col.html
>> >
>> > If someone could please help point me in the right direction, it would be
>> > much appreciated.
>> >
>> > Thanks,
>> > Taylor Singletary
>>
>>
>
>
> --
> OpenSocial IRC - irc://irc.freenode.net/opensocial
>
Re: Enabling OAuth support for /social/rpc endpoints
Posted by Arne Roomann-Kurrik <ku...@google.com>.
Working with the client libraries, I also wondered about these things. Are
these cases where the spec needs to be tightened up?
~Arne
On Fri, Feb 13, 2009 at 4:05 PM, Taylor Singletary <tsingletary@linkedin.com
> wrote:
> Hi Everyone,
>
> I didn't get any bites on this. Am I just not making any sense? :)
>
> Thanks,
> Taylor
>
>
> On 2/4/09 8:32 AM , "Taylor Singletary" <ts...@linkedin.com> wrote:
>
> > Hi Shindig-Dev,
> >
> > I am trying to determine how to enable OAuth support for the /social/rpc
> > endpoint. We¹ve already enabled OAuth support for the usual /social/rest
> > endpoint, but are interested in allowing batched calls using OAuth.
> >
> > What I¹m having trouble figuring out is:
> > 1) How to enable OAuth as a valid form of authentication for
> /social/rpc
> > 2) Tying the xoauth_requestor_id used in the OAuth call to all
> operations
> > in the batch
> > 3) And finally, supporting operation-specific OAuth tokens such that
> > Operation #1 would use token ³abcdefg² and Operation #2 would use token
> > ³bcdefgh², etc. -- and how to enable this without requiring
> > xoauth_requestor_id to be used as well.
> >
> > The RPC documentation suggests that this is possible:
> > ³OAuth is supported for authentication and authorization in addition to
> > other authorization schemes a container may choose to support. A single
> > OAuth token can be used for a batch of operations or each operation can
> > specify its own OAuth token.²
> >
> http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto
> > col.html
> >
> > If someone could please help point me in the right direction, it would be
> > much appreciated.
> >
> > Thanks,
> > Taylor Singletary
>
>
--
OpenSocial IRC - irc://irc.freenode.net/opensocial
Re: Enabling OAuth support for /social/rpc endpoints
Posted by Taylor Singletary <ts...@linkedin.com>.
Hi Everyone,
I didn't get any bites on this. Am I just not making any sense? :)
Thanks,
Taylor
On 2/4/09 8:32 AM , "Taylor Singletary" <ts...@linkedin.com> wrote:
> Hi Shindig-Dev,
>
> I am trying to determine how to enable OAuth support for the /social/rpc
> endpoint. We¹ve already enabled OAuth support for the usual /social/rest
> endpoint, but are interested in allowing batched calls using OAuth.
>
> What I¹m having trouble figuring out is:
> 1) How to enable OAuth as a valid form of authentication for /social/rpc
> 2) Tying the xoauth_requestor_id used in the OAuth call to all operations
> in the batch
> 3) And finally, supporting operation-specific OAuth tokens such that
> Operation #1 would use token ³abcdefg² and Operation #2 would use token
> ³bcdefgh², etc. -- and how to enable this without requiring
> xoauth_requestor_id to be used as well.
>
> The RPC documentation suggests that this is possible:
> ³OAuth is supported for authentication and authorization in addition to
> other authorization schemes a container may choose to support. A single
> OAuth token can be used for a batch of operations or each operation can
> specify its own OAuth token.²
> http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/rpc-proto
> col.html
>
> If someone could please help point me in the right direction, it would be
> much appreciated.
>
> Thanks,
> Taylor Singletary