외부 응용 프로그램의 Opensocial 인증

Question

나는 원칙적으로 그다지 다르지 않은 웹 프로젝트를 진행하고 있습니다. power.com, 단일 웹 사이트에서 여러 다른 소셜 네트워킹 사이트를 통합하여 사용자가 시스템에 한 번 등록한 다음 시스템이있는 것처럼 많은 개별 소셜 네트워킹 계정 (Facebook, MySpace, Orkut 등)을 추가 할 수 있습니다. 처리하도록 만들어져 각 프로필 정보를 단일 장소에서 찾아 볼 수 있습니다.

간단히 말해서, 임의의 사용자를 소셜 네트워크 계정으로 인증하는 방법을 찾을 수는 없습니다.

나는 Obensocial 사양과 Opensocial PHP 클라이언트 프로젝트이지만 모든 것이 원형 의존적 인 것처럼 보이기 때문에 무언가를 놓치고있는 것 같습니다.

첫 번째 문제는 테스트 목적으로 MySpace 소비자 키와 소비자 비밀이 있지만 MySpace로 3 다리 인증을 수행하려고 할 때마다 로그인하는 옵션이 없다는 것입니다. 다른 사람. 또한 외부 리디렉션을 수행하는데, 이는 다소 바람직하지 않은이 최종 소셜 네트워킹의 사용자로서 새 계정을 추가 할 때마다 리디렉션 프로세스를 거치지 않아도됩니다).

임의의 사용자를 프로그래밍 방식으로 인증하고 계정 정보에 액세스 할 수있는 방법 (바람직하게는 외부 리디렉션없이)?

둘째, 2 다리 인증은 a userId (일반적으로 임의의 정수) 임의의 사용자를 식별하여 정보를 검색합니다. 그러나 주어진 소비자 키 및 소비자 비밀과 함께 MySpace OeCensocial ID를 입력하면 401 액세스 거부 오류가 주어집니다. 또한 앞으로이 ID를 사용하려면 사용자를 먼저 인증해야 할 것 같습니다 ... 그러나 인증에는 ID가 필요한 것으로 보입니다.

나는 사소한 것을 놓치고 있다고 확신하지만, 내 삶을 위해 그것이 무엇인지 알 수 없습니다. 도움을 주셔서 감사합니다!

Answer 1

Technically this isn't my answer, but the developers at OpenSocial have provided me with the following information regarding my question (emphasis mine):

3-legged OAuth is built around the redirect back to the site you're authenticating with, and there's no way to avoid it. It's not the most convenient experience, but allows users to share their data with your website while keeping their passwords private. Any design which requires users to enter their MySpace password into a form on your website is considered an anti-pattern and should be avoided. You could potentially attempt the redirect in a popup window in order to make the experience a bit less jarring for the user (currently the PHP client doesn't make this that easy, but if you followed up at opensocial-client-libraries@googlegroups.com someone could help you work through that process).

With regard to not being able to change the user, what I believe MySpace is doing in your case is checking for a MySpace cookie and pre-populating your account information. If you were a user visiting the site and not logged into MySpace, you should get a full username/login box combination. There should also be a button or link somewhere to say "I'm not this user" and log in with other credentials.

As for 2-legged, you would need to have the application associated with the consumer key/secret installed on the profile of any user whose data you wish to access. 2-legged is mostly intended for developers who are currently running a social gadget on a container and wish to access social data for their application users out of band with a gadget render. In this case, the application server would already have the user's OpenSocial ID (from a signed makeRequest) and the user would already have the app installed on their MySpace profile).

Most of this is covered in http://wiki.opensocial.org/index.php?title=OAuth_Use_Casesif you want more information.

Essentially, this makes any use of 2-legged authentication on an external application impossible; 2-legged was explicitly designed not to be used in this sort of situation. Furthermore, it seems that power.com is indeed employing the anti-pattern of having users supply their actual Orkut/MySpace/etc credentials, so that explains that bit.

Clearing out my cookies worked to authenticate me through MySpace. However, I followed up with another question about how Orkut authentication would work, since it doesn't seem to support 3-legged auth. Here was the response I received:

Orkut is interested in supporting this, so you'll be able to allow users to share their information with your application "correctly" in the future.

The corresponding two-legged app would need to forward the current viewer's OpenSocial ID back to your server, probably along with an authorization token you generate yourself so that you can link a user's session on orkut with a session on your own server. Honestly, it's probably not usable enough to support a standalone login system.

Essentially, no, Orkut really can't be hooked into an external app (at least, not yet) without resorting to the anti-pattern.

If anyone has any further information on this topic, please feel free to share!

Answer 2

The pattern is also mentioned here http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi

Essentially a lot of the mashups would want this feature :

A 3rd party site which DOES NOT have a gadget wants to get the end-users permission to access their data at the social network, for example to download their friend list, or to get permission to post to their activity stream