OpenSocial Doc Review Part 2 : Authentication, Hosting and Applications
Authentication
Update: Miron highlights another potentially critical problem – track it here
I hinted that authentication was a concern at the end of my previous post on the topic.
According to the OpenSocial documentation I can only surmise that the only authentication mechanisms prescribed by OpenSocial are the Google Authentication APIs. The application user gets redirected to Google Login and once done the application gets a token that it uses when calling the OpenSocial APIs. This implies that every OpenSocial application user has to have a Google Account.
There are no references to open alternatives such as OAuth or OpenID in the documentation. It’s worth bearing in mind that the existing documents are very Orkut centric so perhaps they are focusing too much on explaining how it works within the Google/Orkut world but I can’t find any alternative info. This really doesn’t seem very Open!
I’m wondering how this this will work for applications that they are deployed into Ning or MySpace. Do the application have to detect that it is not in Google-land and use the local container’s authentication/delegating authority mechanism? Or do they continue to authenticate against Google Accounts? Am I missing something obvious here?
Hosting
Here things get fuzzier. One of the main things I wanted to find out was how I might host an OpenSocial application on our servers, in the same way that we host some of the Facebook applications that we have developed for clients. (Facebook authentication is described here for those are curious about where I’m coming from here)
The docs only talk about Google Gadgets. There isn’t any reference a callback API that the OpenSocial container calls when it wants the content for the application – this concept doesn’t seem to exist (or at least is not documented). The AuthSubRequest API does take a next parameter but is that it?
Applications
Here things even fuzzier. Again the Open Social docs are very Google-land centric so all they talk about is Google Gadget based social applications. I initially thought that they were just using Google Gadgets to illustrate how JavaScript based widgets would interact with the OpenSocial APIs but then I noticed that the OpenSocial home page states:
OpenSocial is built upon Google Gadget technology, so you can build a great, viral social app with little to no serving costs.
Uh-oh. Why create a dependency between an open social network API and a proprietary widget platform? I can see that some OpenSocial applications might be built as Google Gadgets but what if I want to create an OpenSocial application that isn’t?
Update: Simon Willison has some similar concerns and questions.
Recent Comments