shindig-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew G Marum <mgma...@us.ibm.com>
Subject Re: OAuth2+REST API: how to retrieve the viewer?
Date Mon, 28 Nov 2011 16:59:22 GMT
Yes, the reference OAuth 2.0 implementation code uses an anonymous security
token so to accomplish your use case you'd have to modify it or make some
extensions.

You could modify the access token to include the viewer ID or you could try
storing the viewer ID with the HttpSession and retrieve it from there if
this is all occurring within the same web application.

Matt


|------------>
| From:      |
|------------>
  >-----------------------------------------------------------------------------------------------------------------------------------------|
  |Ronny Roeller <rroeller@gmail.com>                                              
                                                        |
  >-----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >-----------------------------------------------------------------------------------------------------------------------------------------|
  |users@shindig.apache.org                                                              
                                                  |
  >-----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >-----------------------------------------------------------------------------------------------------------------------------------------|
  |11/23/2011 03:40 AM                                                                   
                                                  |
  >-----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >-----------------------------------------------------------------------------------------------------------------------------------------|
  |OAuth2+REST API: how to retrieve the viewer?                                          
                                                  |
  >-----------------------------------------------------------------------------------------------------------------------------------------|





Hi community,

I'm testing the new OAuth2 implementation (3.0.0-beta3). After retrieving
my access-token, I'm sending requests to the REST API but can't figure out
the viewer in my SPIs.

For example:

   1. As user 'sue' I'm requesting an access-token
   2. Shindig gives me the access-token
7173531c-57da-44d7-a4fe-52cae0faa3e1
   3. I request information about user

'joe': /social/rest/people/joe/@self?access_token=7173531c-57da-44d7-a4fe-52cae0faa3e1

   4. My PersonService decides based on the viewer how much information to
   return (e.g. 'sue' may be an administrator and see more available data
   points).

How could I figure out in my PersonService that the viewer of the request
was 'sue'?

One possible solution I found: I could extend OAuth2Code with the
viewerId and then set the value when creating the accessToken
in OAuth2Service.generateAccessToken(). I use this access token to create a
SecurityToken in OAuth2AuthenticationHandler:getSecurityTokenFromRequest()
[instead of returning the AnonymousSecurityToken].

Does this make sense? What would be the suggested solution approach?

Many thanks,
Ronny




Mime
View raw message