There have been some questions on how to pass the myspace user id to an application that runs in an iframe on the canvas surface, so here is what worked for me: 

Code for the Canvas Surface:

 

<iframe id="msiframe" name="msiframe" src="" height="1000" width="790" frameborder="0"></iframe>

<script type="text/javascript">

var serverURL='http://www.myserver.com/MSAuthenticate';  // change this to your server & authentication routine

function init() {
    var params = {};
    params[opensocial.ContentRequestParameters.METHOD] = opensocial.ContentRequestParameters.MethodType.GET;
    params[opensocial.ContentRequestParameters.CONTENT_TYPE] = opensocial.ContentRequestParameters.ContentType.HTML;
    params[opensocial.ContentRequestParameters.AUTHENTICATION] = opensocial.ContentRequestParameters.AuthenticationType.SIGNED;
    opensocial.Container.get().makeRequest(serverURL, loadiframe, params);
}

function loadiframe(targetURL) { frames['msiframe'].location.href = targetURL; }

init();
</script>

You then need to build a routine on your server called MSAuthenticate. This routine will receive the following parameters (HTTP GET):

oauth_nonce '-100735'
opensocial_viewer_id 'xxx'
oauth_timestamp '34'
oauth_consumer_key 'http://www.myspace.com/xxx'
oauth_signature_method 'HMAC-SHA1'
oauth_version '1.0'
oauth_token ''
opensocial_owner_id 'xxx'
oauth_signature ''

The MSAuthenticate routine authenticates the request (or not) and returns a URL (eg. http://www.myserver.com/Homepage?uid=<opensocial_viewer_id>, or possibly http://www.myserver.com/InvalidRequest) which will be loaded into the iframe.

The 'oauth_signature' parameter is currently empty, so my MSAuthentication routine is just 'approving' every request for now. Hopefully, this will be remedied prior to launch.

Thanks to "Mike" for the makeRequest code.

hth

Jonathan

 What's to stop someone from just calling http://www.myserver.com/Homepage?uid=<opensocial_viewer_id>?  How do you authenticate that request?

Our MSAuthenticate routine creates a string containing the uid + internal secret key + timestamp and then encrypt it. This is the parameter that is returned (not the naked uid).  The internal secret key changes every call. It is stored in a server-based db, keyed by uid.

The Homepage routine then decrypts the string and validates the individual components (ie. must be a valid/known uid, secret key must match, timestamp must be not older than x seconds).

This approach is reasonably secure (enough for our app for sure), and will definitely keep the script kiddies out.

 

I very much appreciate the fact that you documented this for others. I have the first portion in place. I am looking for a way to accomplish this that is not so reliant on a db lookup/update every time the user requests a page (update for when they need a new key) and am researching further. If anyone has any info to share to this end, please do so on this thread, and i will do the same.

  

You only need to implement this process the first time you instantiate the iframe.  Once you have authenticated the user and started an iframe 'session' you can use cookies or other session mechanisms from that point forward.

Couldn't delete my post here.

 

Roger

 

 

I see that if you set the canvas code to an iframe in the edit source tool, it passes an oauth_signature. I haven't gotten it to validate yet. If anyone has code for that, it would be great.

Obviously, specific code requires a specific language, but if you haven't checked it out yet, there are several libraries at Oauth.net that will get you started on validation for your server. I suppose, too, you could tweak the available libraries here on the forums, but those are really more for client-side creation of signatures, not validating them.

Well, php code would be ideal, but any sort of example would be fine.

I checked out the oauth libraries. It seems there’s so much extra stuff like consumer tokens, it’s difficult for me to figure out how to make it work with MySpace.

http://developer.myspace.com/community/RestfulAPIs/authentication.aspx

This seems simple enough, just sort the params and hash them, but it’s not working for me.

$params = array();
foreach ($_GET as $key => $value) {
if ($key != "oauth_signature") array_push($params,urlencode($key)."=".urlencode($value));
}
sort ($params);
$sig = hash_hmac("sha1", implode("&",$params), "secret"."");
echo($_GET['oauth_signature']." is not the same as ".$sig);

First, you seem to have the basics down, and to be blunt, I never understood it to be that simple in PHP. I'm a more .NET kinda guy.

I'm going to assume that sort($params); sorts correctly -- I don't know the specifity of that function in PHP. My big question is this bit :

$sig = hash_hmac("sha1", implode("&",$params), "secret"."");

Are you actually using the literal string "secret" (appended with an empty string) as your secret key? 'Cause that's not it. The secret string is called the Security Key, and you can find it under App Details on the MyApps page. Just a big long string of characters. That's your OAuth Consumer Secret. I just realized that unless you've been reading the forums, you might not know that. Otherwise, yes, that should do it.

Oh, and you probably realize this, but don't post your Security Key. If you need to post code with the Key in view, just fill it in with characters. A couple of people have done it, accidentally, and it's just not a good idea.

Thanks Jeremy. No I'm using the security key 8a3d4bddb0b.....

 I just didn't want to post it for the reson you mentioned. It's just a test app, so it really doesn;t matter though.

 I still can't get this to work. Even an example in .NET would be great.

This is what I'm currently using, it works OK but I'm not familiar enough with OAuth to know if I'm missing anything -- any input would be appreciated.

$remote_signature = $_GET['oauth_signature'];
$url = strtolower('http://url.to.this/script.php');
unset($_GET['oauth_signature']);
ksort($_GET);
$base_string = 'GET&'.
               urlencode($url).'&'.
               urlencode(http_build_query($_GET));
$secret = MYSPACE_SECRET_KEY.'&';

$local_signature = base64_encode(hash_hmac("sha1", $base_string, $secret, TRUE));

if ($remote_signature == $local_signature)
  echo 'success';

That is beatiful Crush!

I need to buy you as many beer as you want!

 

thanks Crush and OP this is exactly what I was looking for!!

 Thanks CrushSpot! this was a huge help.

 

-rob