OAuth use cases

The OAuth protocol was designed to allow secure API authorization and is used by OpenSocial. This page provides a high level overview of the different ways that OAuth and OpenSocial work together.

The http://oauth.net/ OAuth website contains detailed information about implementing OAuth, but most OpenSocial developers will not need to concern themselves with the exact details of implementing OAuth, since the [a:Client Libraries ] are designed to perform most of these actions transparently.

Keys and Certificates

Overview

The OAuth specification says that requests must be signed in a way so that the recipient of the request can verify that the sender is who they claim to be and that the request has not been modified in any way since it was signed.

To sign an OAuth request, all the parameters included in the request are gathered, arranged in a defined way, and cryptographically hashed into a string of random-looking characters. Verifying a signature follows a similar approach.

Consumer Key & Secret

The exact details of the signing process aren't covered here because this is handled automatically by the Client Libraries . To configure the client libraries, however, you will typically need what's known as an OAuth Consumer Key and OAuth Consumer Secret. When making requests, these values identify your application to the social network. For this reason, the consumer secret for your application should not be made public!

To obtain a consumer key and secret, most social networks offer an administration page or tool for verifying the ownership of a gadget. Below is a list of some containers which offer an OAuth consumer key and secret to developers:

Public Certificates

In some cases, a container will not support the Consumer Key and Secret, and will sign requests using a public/private key system. To validate such requests, you will need the container's public key certificate. For your convenience, there is a list of public keys for each container available at https://opensocialresources.appspot.com/certificates/ along with links to each certificate. This site is for convenience only and not approved by the containers listed! For the best security, be sure to check your container's documentation to verify the location of the appropriate public key!

OAuth Signed Requests

Overview

OAuth defines a method of signing requests so that a recipient can verify that the request was not tampered with while in transit. While signing is only a small portion of the OAuth specification, OpenSocial uses this approach to allow third party developers to verify that social data passed to their servers was sent from a specific container.

Uses

• Pass social data from a gadget to an application server.
• Request data from an application server to display in a gadget.

Request Flow

OpenSocial and 2-legged OAuth

Overview

The two "legs" in 2-legged OAuth represent a Social network and an Application server. Using the 2-legged protocol, these two servers are able to securely exchange information through OAuth signed requests. However, there is no authorization step involved in 2-legged OAuth, which means that the application server must already have permission to access the data it is requesting from the social network. In the case of user-specific data, this is usually done in a separate channel. For example, when a user installs an application on a social network, they are asked to share their data with the application, which would allow the application server to access that user's data via 2-legged OAuth.

Some OpenSocial operations like the Invalidation API are application-specific, not user-specific, and therefore don't need special permission from a user. Such operations can usually be made directly through the use of a 2-legged call.

Uses

• Background processing for a gadget
  • Example: A turn-based game gadget wants to notify a user via a message when it's their turn to play the game.

Request Flow

OpenSocial and 3-legged OAuth

Overview

The three "legs" in OpenSocial 3-legged OAuth typically represent a Social network, an Application server, and the Application user. In this model, a website, mobile application, or desktop application wishes to use social data in a context outside of the social network. Because there is no gadget install process involved, 3-legged OAuth provides a method for the user to grant the application access to their data on the social network without sharing the user's username and password for the social network with the application.

Additionally, some OpenSocial containers may implement what is known as an "OAuth Proxy", which allows gadgets running inside of a social network to access OAuth-protected resources. An example of this is the MySpace gadget which runs inside of iGoogle - iGoogle provides an OAuth proxy which accesses MySpace's OAuth-protected APIs. The proxy takes care of storing tokens which should not be stored inside of the gadget itself, and signing the outgoing requests. More information about iGoogle's OAuth Proxy can be found here

Uses

• Accessing social data from a website.
  • Example: Writing a stand-alone website and want access to a user's friend list, activity stream, or messages on another site to enable social features.
• Mobile or desktop applications.
  • Example: Writing a mobile or desktop application and want to access a user's friend list, activity stream, or messages from a native mobile or desktop application.
• Accessing traditional 3-legged OAuth services from within a gadget
  • Example: Writing a JavaScript gadget that needs to securely communicate with a 3rd party web service such as Google Data APIs or MySpace.

Request Flow