[Update 11:19pm PST - A number of folks in the IRC channel have noted that the problems described here are really only a certain class of applications. OpenSocial/Google Gadgets can be used in many scenarios that don't raise the issues described here.]
Actually, this is a problem with Google Gadgets. A OpenSocial/Google Gadgets application runs in a iframe loaded from the OpenSocial container site. To access third party sites, such as the site hosting application site, the javascript in my gadget has to invoke a special function (_IG_FetchXmlContent, _IG_FetchContent, _IG_FetchJSONFeed) via a proxy associated (by domain name) with the container website. Pretty straightforward, Facebook does this as well. The reason this is necessary is because of the restrictions browsers place on allowing javascript to access sites the javascript wasn't loaded from (to prevent cross site scripting).
Here's where the problem lies. For security reasons, my application (the component living on my server) has to know on which container and for which user the javascript is running. That is, is needs to know that gwachob@ning is making the request vs. smartguy@orkut. Furthermore, to prevent trivial spoofing, my application really needs to have the container add some proof to the request so my application can rely on the fact that it actually was gwachob@ning or smartguy@orkut, rather than badguy@elsewhere. Facebook adds request signatures to proxied calls to application servers. Orkut, and the google gadgets API in general, provides no such signature or other verification method.
This is confirmed by this message from a Google employee sent to the OpenSocial API google-group on November 6th:
... we are working on a mechanism that will sign _IG_Fetch requests, allowing you to verify server-side that the request was not spoofed. (This) will certainly be in place by the public launch of the Orkut sandbox.
Its good to see that the folks at Google understand the issue and seem to be working on it. This is a big issue [for some types of applications] and one I hope they can address soon. But its not the end of the story, and I think there are a lot of issues around identity and authentication that need to get worked through (but we have good places to start: OpenID and OAuth). I hope that Google works through these issues in open manner (open sky, not just open door) and doesn't simply foist a solution on the community. Furthermore, experience tells me that there's NOT one best answer, and the user experience is going to be really tricky. Can you imagine an entire screenful of login boxes? YECH!
Comments