php - 来自外部应用程序的 OpenSocial 身份验证

Question

我正在从事一个与 power.com 在原则上并无太大不同的 Web 项目，我试图在一个网站下统一几个不同的社交网站，允许用户在系统中注册一次，然后添加尽可能多的个人社交网络帐户(Facebook、MySpace、Orkut 等)作为系统专为处理而设计，允许他们在一个地方浏览各自的个人资料信息。

简而言之，我似乎无法找到一种方法来对任意用户的社交网络帐户进行身份验证。

我一直在研究 OpenSocial 规范以及 OpenSocial PHP client项目，但我似乎遗漏了一些东西，因为一切似乎都是循环依赖的。

我的第一个问题是，出于测试目的，我有一个 MySpace 消费者 key 和消费者 secret ，但是每当我尝试使用 MySpace 执行三方身份验证时，没有以其他人身份登录的选项。此外，它执行外部重定向，这有点不受欢迎(作为这个最终社交网络“门户”的用户，我宁愿不必在每次添加新帐户时都经历该重定向过程)。

我如何以编程方式验证任意用户并允许他们访问他们的帐户信息(最好没有外部重定向)？

其次，双足身份验证需要一个 userId(通常是任意整数)来标识要为其检索信息的任意用户。但是，当我输入我的 MySpace OpenSocial ID 以及给定的消费者 key 和消费者 secret 时，我收到 401 拒绝访问错误。此外，为了将来使用此 ID，我似乎需要先对用户进行身份验证……但该身份验证似乎需要 ID。

我非常确信我遗漏了一些微不足道的东西，但我终究无法弄清楚它是什么。非常感谢您的帮助!

Answer 1

从技术上讲，这不是我的答案，但 OpenSocial 的开发人员为我提供了有关我的问题(强调我的)的以下信息:

3-legged OAuth is built around the redirect back to the site you're authenticating with, and there's no way to avoid it. It's not the most convenient experience, but allows users to share their data with your website while keeping their passwords private. Any design which requires users to enter their MySpace password into a form on your website is considered an anti-pattern and should be avoided. You could potentially attempt the redirect in a popup window in order to make the experience a bit less jarring for the user (currently the PHP client doesn't make this that easy, but if you followed up at opensocial-client-libraries@googlegroups.com someone could help you work through that process).

With regard to not being able to change the user, what I believe MySpace is doing in your case is checking for a MySpace cookie and pre-populating your account information. If you were a user visiting the site and not logged into MySpace, you should get a full username/login box combination. There should also be a button or link somewhere to say "I'm not this user" and log in with other credentials.

As for 2-legged, you would need to have the application associated with the consumer key/secret installed on the profile of any user whose data you wish to access. 2-legged is mostly intended for developers who are currently running a social gadget on a container and wish to access social data for their application users out of band with a gadget render. In this case, the application server would already have the user's OpenSocial ID (from a signed makeRequest) and the user would already have the app installed on their MySpace profile).

Most of this is covered in http://wiki.opensocial.org/index.php?title=OAuth_Use_Casesif you want more information.

从本质上讲，这使得在外部应用程序上使用任何 2-legged 身份验证变得不可能；两条腿被明确设计为不在这种情况下使用。此外，似乎 power.com 确实采用了让用户提供他们实际的 Orkut/MySpace/etc 凭据的反模式，所以这就解释了这一点。

清除我的 cookie 有助于通过 MySpace 验证我的身份。但是，我接着提出了另一个关于 Orkut 身份验证如何工作的问题，因为它似乎不支持三足身份验证。这是我收到的回复:

Orkut is interested in supporting this, so you'll be able to allow users to share their information with your application "correctly" in the future.

The corresponding two-legged app would need to forward the current viewer's OpenSocial ID back to your server, probably along with an authorization token you generate yourself so that you can link a user's session on orkut with a session on your own server. Honestly, it's probably not usable enough to support a standalone login system.

本质上，不，如果不求助于反模式，Orkut 真的无法连接到外部应用程序(至少目前还不能)。

如果有人对此主题有任何进一步的信息，请随时分享!