OpenSocial Doc Review Part 2 : Authentication, Hosting and Applications

Authentication

Update: Miron highlights another potentially critical problem - track it here

I hinted that authentication was a concern at the end of my previous post on the topic.

According to the OpenSocial documentation I can only surmise that the only authentication mechanisms prescribed by OpenSocial are the Google Authentication APIs. The application user gets redirected to Google Login and once done the application gets a token that it uses when calling the OpenSocial APIs. This implies that every OpenSocial application user has to have a Google Account.

There are no references to open alternatives such as OAuth or OpenID in the documentation. It’s worth bearing in mind that the existing documents are very Orkut centric so perhaps they are focusing too much on explaining how it works within the Google/Orkut world but I can’t find any alternative info. This really doesn’t seem very Open!

I’m wondering how this this will work for applications that they are deployed into Ning or MySpace. Do the application have to detect that it is not in Google-land and use the local container’s authentication/delegating authority mechanism? Or do they continue to authenticate against Google Accounts? Am I missing something obvious here?

Hosting
Here things get fuzzier. One of the main things I wanted to find out was how I might host an OpenSocial application on our servers, in the same way that we host some of the Facebook applications that we have developed for clients. (Facebook authentication is described here for those are curious about where I’m coming from here)
The docs only talk about Google Gadgets. There isn’t any reference a callback API that the OpenSocial container calls when it wants the content for the application - this concept doesn’t seem to exist (or at least is not documented). The AuthSubRequest API does take a next parameter but is that it?

Applications
Here things even fuzzier. Again the Open Social docs are very Google-land centric so all they talk about is Google Gadget based social applications. I initially thought that they were just using Google Gadgets to illustrate how JavaScript based widgets would interact with the OpenSocial APIs but then I noticed that the OpenSocial home page states:

OpenSocial is built upon Google Gadget technology, so you can build a great, viral social app with little to no serving costs.

Uh-oh. Why create a dependency between an open social network API and a proprietary widget platform? I can see that some OpenSocial applications might be built as Google Gadgets but what if I want to create an OpenSocial application that isn’t?

Update: Simon Willison has some similar concerns and questions.

Friday, November 2nd, 2007 facebook, google, opensocial

1 Comment to OpenSocial Doc Review Part 2 : Authentication, Hosting and Applications

[...] posts on OpenSocial that I’ve come across that all touch on points I raised in my last two posts that are worth [...]

Aehso’s Output » OpenSocial : Critiques on November 4th, 2007

What I'm Doing...

@paulca if the service and your id provider both support the OpenID Simple Registration Extension then it should work - http://url.ie/r4y 3 days ago
@paulca I've been to the recent meetups, good couchdb talk btw, will be at the next one too. Not yet taken getexceptional for a real spin... 3 days ago
@topgold Try Nassau St (3rd or 4th bus stop down) or outside Budget Travel on O'Connell St, routes 46*, 10*, 145)... 3 days ago
@desdublin Des, save yourself! I'll go for some pints+nosh with you! Or else promise to drive wherever you were jogging to! 4 days ago
Great NYT piece on how the US financial crisis evolved in the past two weeks - http://www.nytimes.com/2008/10/02/business/02crisis.html 4 days ago
More updates...