Versions Compared

Version Old Version 1 New Version 2
Changes made by

Mark Halvorson

Jonathan Beri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version|opensocial-0.8|opensocial-0.9

Table of Contents
outlinetrue
indent20px
stylenone
printablefalse

By the time you've gotten a couple introductory OpenSocial applications written, you may be wondering how you can take advantage of web services running on your external server to build a more sophisticated OpenSocial application.

...

This article is written assuming that you have an intermediate knowledge of the OpenSocial API, and some familiarity with requesting remote data /wiki/spaces/a/pages/527111 using OpenSocial. It is also written under the assumption that you have access to an external server, and some experience writing server-side code for web applications.

...

In this example, the remote server looks for the *

...

opensocial_viewer_id

...

* parameter in the request and returns information about that user. If the application were a restaurant review app, this information might be a list of restaurants that Alice has reviewed. A banking app may return information about Alice's bank account.

...

Now imagine that Evil Testington were a malicious user of the application. Using Firebug or some other method of forging a request, they change the call to

...

makeRequest

...

and insert Alice's ID number instead of their own.

...

Signed requests were introduced to address this issue, and are based upon OAuth's parameter signing mechanism. Through the use of parameter signing, it is now possible for a gadget to request the container to send ID numbers along with a cryptographic hash that allows third party sites to verify that the numbers passed are indeed legitimate.

When a

...

makeRequest

...

is signed by the container, the container adds additional data to the request before forwarding it to the remote website. This data contains additional information such as the current OWNER and VIEWER of the app, the ID of the application making the request, and some additional information that your server can use to verify that the information added was not tampered with since the container sent the request.

...

To make a signed request, you specify the *

...

gadgets.io.RequestParameters.AUTHORIZATION

...

* parameter, as shown here:

Panelcode

  function request(url) {


    var params = {};


    params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;


    gadgets.io.makeRequest(url, response, params);


  };

The server will see the following querystring parameters added to the request:

...

  • opensocial_owner_id - The ID of the current owner, which matches the getId() value on the owner person object.

...

  • opensocial_app_url - The URL of the application making the request. Containers may alias multiple application URLs to a single canonical application URL in the case where an application changes URLs.

Additionally, the following parameters may optionally be added (depending on the container):

...

...

  • opensocial_viewer_id - The ID of the current viewer, which matches the getId() value on the viewer person object.

...

  • opensocial_instance_id - An opaque identifier used to distinguish between multiple instances of the same application in a single container. If a container does not allow multiple instances of the same application to coexist, this parameter may be omitted. The combination of opensocial_app_url and opensocial_instance_id uniquely identify an instance of an application in a container.

...

  • opensocial_app_id - An opaque identifier for the application, unique to a particular container. Containers that wish to maintain backwards compatibility with the opensocial-0.7 specification may include this parameter.

...

  • xoauth_public_key - An opaque identifier for the public key used to sign the request. This parameter may be omitted by containers that do not use public keys to sign requests, or if the container arranges other means of key distribution with the target of the request.

The server will also be passed the parameters oauth_consumer_key, oauth_nonce, oauth_signature, oauth_signature_method, oauth_timestamp, and oauth_token, which are used for validating the signed request. Use of these parameters will be explained later in this article.

...