OpenSocial authentication from external application

Question

I'm working on a web project that isn't all that dissimilar in principal to power.com, where I am attempting to unify several different social networking sites under a single website, allowing users to register once with the system, and then add as many of their individual social networking accounts (Facebook, MySpace, Orkut, etc) as the system is built to handle, allowing them to browse their respective profile information in a single place.

Simply put, I can't seem to find a way to authenticate arbitrary users into their social network accounts.

I've been poring over the OpenSocial specifications, as well as the OpenSocial PHP client project, but I seem to be missing something, as everything is appearing to be circularly dependent.

My first problem is that, for testing purposes, I have a MySpace consumer key and consumer secret, but whenever I attempt to perform a 3-legged authentication with MySpace, there's no option for logging in as someone else. Plus, it performs an external redirect, which is somewhat undesirable (as a user of this eventual social networking "portal", I'd rather not have to go through that redirection process every time I add a new account).

How would I programmatically authenticate an arbitrary user and allow them access to their account information (preferably without the external redirection)?

Second, the 2-legged authentication requires a userId (usually an arbitrary integer) that identifies the arbitrary user to retrieve information for. However, when I enter my MySpace OpenSocial ID, along with the given consumer key and consumer secret, I am given a 401 Access Denied error. Furthermore, in order to use this ID in the future, it seems that I would need to authenticate the user first...but that authentication appears to require the ID.

I'm pretty convinced that I'm missing something trivial, but for the life of me can't figure out what it is. Help is greatly appreciated!

Answer 1

Technically this isn't my answer, but the developers at OpenSocial have provided me with the following information regarding my question (emphasis mine):

3-legged OAuth is built around the redirect back to the site you're authenticating with, and there's no way to avoid it. It's not the most convenient experience, but allows users to share their data with your website while keeping their passwords private. Any design which requires users to enter their MySpace password into a form on your website is considered an anti-pattern and should be avoided. You could potentially attempt the redirect in a popup window in order to make the experience a bit less jarring for the user (currently the PHP client doesn't make this that easy, but if you followed up at [email protected] someone could help you work through that process).

With regard to not being able to change the user, what I believe MySpace is doing in your case is checking for a MySpace cookie and pre-populating your account information. If you were a user visiting the site and not logged into MySpace, you should get a full username/login box combination. There should also be a button or link somewhere to say "I'm not this user" and log in with other credentials.

As for 2-legged, you would need to have the application associated with the consumer key/secret installed on the profile of any user whose data you wish to access. 2-legged is mostly intended for developers who are currently running a social gadget on a container and wish to access social data for their application users out of band with a gadget render. In this case, the application server would already have the user's OpenSocial ID (from a signed makeRequest) and the user would already have the app installed on their MySpace profile).

Most of this is covered in http://wiki.opensocial.org/index.php?title=OAuth_Use_Casesif you want more information.

Essentially, this makes any use of 2-legged authentication on an external application impossible; 2-legged was explicitly designed not to be used in this sort of situation. Furthermore, it seems that power.com is indeed employing the anti-pattern of having users supply their actual Orkut/MySpace/etc credentials, so that explains that bit.

Clearing out my cookies worked to authenticate me through MySpace. However, I followed up with another question about how Orkut authentication would work, since it doesn't seem to support 3-legged auth. Here was the response I received:

Orkut is interested in supporting this, so you'll be able to allow users to share their information with your application "correctly" in the future.

The corresponding two-legged app would need to forward the current viewer's OpenSocial ID back to your server, probably along with an authorization token you generate yourself so that you can link a user's session on orkut with a session on your own server. Honestly, it's probably not usable enough to support a standalone login system.

Essentially, no, Orkut really can't be hooked into an external app (at least, not yet) without resorting to the anti-pattern.

If anyone has any further information on this topic, please feel free to share!

Answer 2

The pattern is also mentioned here http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi

Essentially a lot of the mashups would want this feature :

A 3rd party site which DOES NOT have a gadget wants to get the end-users permission to access their data at the social network, for example to download their friend list, or to get permission to post to their activity stream