I have a game where a user has some stats that they need to download from my server into the myspace app via javascript.  I don't want people to be able to change the request and get data for a random user.  How would I know that this request is coming from a valid logged in myspace user?  Is there a key I should include in the request so I can verify it? 

You can use the makeRequest to call a proxy to get the data from your external website to get information. This request requires that you have a valid opensocial token. This validates that its a real user request. Find more information about this here: http://developer.myspace.com/community/myspace/myopenspace.aspx#MyOpenSpace.MySpaceContainer.makeRequest Also check out this thread: http://developer.myspace.com/Community/forums/t/37.aspx -V

 Hi Viphak,

When I make a makeRequest call to my url, I want to make sure that the opensocial_viewer_id making the request is actually allowed to get that information (or post it) and it's not someone just spoofing the request by knowing my myspace id?

I see that some params like opensocial_token and opensocial_url are included in the post to the proxy, but the only request params sent to my php server file are opensocial_owner_id and opensocial_viewer_id.

How do I verify on my server page that the user is allowed to see or do that request?

 

 Thanks!

Andy 

 Hi Andy,

 When you call the makeRequest function, you can pass in a value for the AuthType parameter of SIGNED and the request through the proxy to your server will be digitally signed according to the OAuth spec.  The oauth_consumer_key is your application URI and the key is the consumer key we provide you upon application creation.  In that way, you can be assured of the opensocial_owner_id and opensocial_viewer_id values and that the request came from our servers.  Hope that helps....you can use the OAuth tool to test requests to your servers.

 ~Paul

When will the AuthType parameter be implemented?

 alright, I tried doing this SIGNED thing, but I get the error "opensocial.ContentRequestParameters.AuthenticationType has no properties".  I'm guessing because it's not implemented?  Code is below.

    opensocial.Container.get().makeRequest(
			"http://mysite.com", 
			function(content) 
			{
                          target.innerHTML = content;
			},
                        opensocial.ContentRequestParameters.AuthenticationType.SIGNED);
	}

 I think it's supposed to be

opensocial.ContentRequestParameters.AuthorizationType.SIGNED

I changed it to:

 var params = {};
          params[opensocial.ContentRequestParameters.AUTHENTICATION] = opensocial.ContentRequestParameters.AuthorizationType.SIGNED;

	    opensocial.Container.get().makeRequest(
			"http://mysite.com", 
			function(content) 
			{
                          target.innerHTML = content;
			},
                        params);

No errors now, but I still don't see any extra POST or GET parameters.

 It looks like most of the makeRequest options haven't been implemented yet. Just be patient.. :)

I have been wondering about this myself. This seems like a MySpace specific implementation and won't work on other open social containers.

Nevertheless, I would be very interested in the code for a working example of hitting a url that authenticates a userid.

Has anybody had any success with this yet?  I can set the authentication to AuthorizationType.SIGNED, but it still doesn't seem to send any additional OAuth parameters to my app.  Any pointers would be appreciated.

 Thanks

Ditto. Even a shell of a document outlining what these might look like so I can get the logic in place and ready for when it does get turned on would be helpful. BTW: I'm really happy to see this coming - this was the biggest weakness of OpenSocial IMO.

 How can I go back and view what the consumer secret is for my app?  When I view the details for my app all it has is the "Application Domain".  Is this the same thing?

Thanks 

any updates on this? ETA on myspace implementation and anyone gettting it to work?

 

I am still getting empty oauth_token and oauth_signature on a signed request

 

 

 It is my experience, that any combination of the above does not work.

 

I have not, once, ever (is that clear :)?) gotten even a blank oauth anything.

 

I tried putting it on the url, I tried putting it as opt_params to the makeRequest call.

 

0.000% of the time, do I get any params, empty or not, added ot the call.