I'm in the middle of porting a facebook app and I'm trying to figure out how I know who the user is on *my* websites backend. Forexample facebook redirects to my site when they add the app. I would assume I would need like a login button on my widget or something, but then I need to be able to store that logged in name somewhere. It sounds like OAuth is supposed to help with this but the docs seem scarce, any ideas? 

 Search the forums for the makeRequest function. Essentially, you'd use the openSocial javascript in your myspace app to grab the OWNERS Id, then you would pass that to your external app with POST or GET via makeRequest, and your app could function accordingly...

Okay, this is what I've been able to gather, and it may be completely wrong, but I don't believe OAuth is going to help you (at least, not the MySpace implementation end of it - you can use your own to communicate with your server, if you wish). MySpace's OAuth is for confirming that an App has the rights to call the Api; it's got nothing to do with any specific user (as in, a person).

I'm a bit confused, here, though - you're saying that you have, on your site, a set of accounts, whose Ids have nothing to do with MySpace's, correct? And you want people, when they install your App, to be able to access features available to their accounts on your site (or something like that), through your MySpace application.

Well, I think the easiest way is to create a form of some sort on one of the surfaces (personally, I'd choose the Home surface, so it's private). Once someone installs your app and goes back to the Home page, they'll see it. This form will allow them to "log in" to their account on your site. When they post the form, you submit their login info, along with their MySpace userId, so that from then on the two are tied together, through a makeRequest.
Or, if security is an issue, you can do a check on that Home surface to see if they've already tied an account on your site to a MySpace Id, and if they haven't, provide a link that navigates over to the Canvas surface, where you can process a login directly on your site through an IFrame, passing over their MySpace id with the call to your page.

Or maybe I'm not understanding what your asking. That could be easily true.

*Edit*
I was just looking over the ToS, and there doesn't seem to be anything that specifically disallows you from using an IFrame on the Home surface (only the Profile surface), so you can do a direct-to-your-site login there. Of course, you may want to confirm that with a MDP Team member, first.

Perhaps a scenario might clarify the question:

The application is a chess game.  Users add the application to their MySpace profile.  The application then allows the user to start a game with another user (both users have installed the application).

UserA clicks the 'Chess' application link in their profile, the application needs to know the MySpace user id of UserA so that that it can retrieve the game settings from its internal database (piece positions, whose turn it is, etc).

The way this is accomplished in other platforms is that when the user clicks on the 'Chess' application link in their profile, the platform appends the user id, a session key and a digital signature (at a minimum, other info could also be passed) as GET parameters to the applicaton link's URL. The application receives these appended parameters and can use them to determine who the user is and can also use the information to authenticate the user (so that the application can ensure that the request is real and not a hacking attempt).

Are you asking how to emulate how it's accomplished on other platforms, or specifically how to digitally sign it?

Digital signing, I'll be honest, I don't know much about, but opensocial allows you to sign makeRequest calls through the params option. Check Google's Docs for details (http://code.google.com/apis/opensocial/docs/0.6/devguide.html#Remote_Content).

As far as how to emulate that, when the user clicks a button (or whatever), first you'd use a dataRequest for OWNER information to retrieve the userId. Once that data returns, you pass the userId (with your other data) on to your chess server with a makeRequest. Once that returns a game state, you display the results.
But that sounds way too simple. I'm trying to figure out which step is going to caus issues...

Jeremy:

As far as how to emulate that, when the user clicks a button (or whatever), first you'd use a dataRequest for OWNER information to retrieve the userId. Once that data returns, you pass the userId (with your other data) on to your chess server with a makeRequest. Once that returns a game state, you display the results.
But that sounds way too simple. I'm trying to figure out which step is going to caus issues...

We can worry about digital signing/user authentication later ;-)

What is the REST API equivalent to the js "dataRequest" call?

 Jonathan, I think I know what you're asking.. let me rephrase and see if I'm right.. "How can I pass the user's myspace userid to my server-side script so I can return that user's information?" Is that right?

MySpace (OpenSocial) doesn't do what Facebook does. Facebook's servers act as an intermediary between the Facebook user and your server-side script! That way, FB can pass along variables to your server-side script when your canvas is activated... thus allowing you to figure out the user by the parameters FB passes along.On your server-sidescripts, you can make requests back to FB's servers, which the client library you're probably uses conveniently signs according to FB's API authorization algorithm (which verifies that YOUR SERVER can access FB's servers for info).

 To do the equivalent on OpenSocial / MySpace REST API. OpenSocial provides a way using Javascript to get the user who is viewing the script's ID. Again, to compare to Facebook: Whereas FB acts as a middleman, OpenSocial lets you explicitly get the user's info...The developer's blog has a good post: http://developer.myspace.com/Community/blogs/devteam/archive/2008/02/19/where-s-my-data-api.aspx

<div id="output"></div>
<script type="text/javascript">

var user_id = 0;

function init() {
    //Set the owner id so we don't have to use it later
    var personId = opensocial.DataRequest.PersonId.OWNER;
    //Create our DataRequest object
    var dr = opensocial.newDataRequest();
    //Set up an empty params object so we can use it for functions that require params.
    var opt_params = {};
    //Request Person data
    var personReq = dr.newFetchPersonRequest(personId);
    //Add all the requests to the DataRequest
    dr.add(personReq,'SmallPerson');
    //send request
    dr.send(response);
}

//Response callback...
function response(data) {
    var person = data.get('SmallPerson').getData();
    user_id = person.getField("id");
}

init();
</script>

Now, once you have the users id, you can do a makeRequest call and pass that id back IN! If you'd like to verify it on your server, you'll THEN have to implement OAuth on your server to verify it make from opensocial... I'm still looking into how to do that.

Mike:

 Jonathan, I think I know what you're asking.. let me rephrase and see if I'm right.. "How can I pass the user's myspace userid to my server-side script so I can return that user's information?" Is that right?

Exactly! 

Mike:

 To do the equivalent on OpenSocial / MySpace REST API. OpenSocial provides a way using Javascript to get the user who is viewing the script's ID. Again, to compare to Facebook: Whereas FB acts as a middleman, OpenSocial lets you explicitly get the user's info...The developer's blog has a good post: http://developer.myspace.com/Community/blogs/devteam/archive/2008/02/19/where-s-my-data-api.aspx

I am looking for the REST API equivalent to this javascript call (should be easy to implement if you already have the javascript equivalent)

Mike:

Now, once you have the users id, you can do a makeRequest call and pass that id back IN! If you'd like to verify it on your server, you'll THEN have to implement OAuth on your server to verify it make from opensocial... I'm still looking into how to do that.

I already have the OAuth authentication process working (eg. i can do a REST API call to .../users/123456789 and get the info for user 123456789), I just need a call to obtain the current user's id!  (otherwise I can't use the REST API call to .../users/xxx  because I don't have a value for xxx!).

 Hi Jonathan, again... there is no way toknow this information via a REST call, becauseYOUR script would need parameters passed to it via makeRequest!

 Think about it... you'd presumably using REST on YOUR server side script... how is YOUR server side script supposed to figure out which MySpace user is calling it, UNLESS you call it from a makeRequest JS call. The key is that OpenSocial (JS) is what allows you to discover the userid, which you then pass to YOU server side script.

Mike:

 Hi Jonathan, again... there is no way toknow this information via a REST call, becauseYOUR script would need parameters passed to it via makeRequest!

 Think about it... you'd presumably using REST on YOUR server side script... how is YOUR server side script supposed to figure out which MySpace user is calling it, UNLESS you call it from a makeRequest JS call. The key is that OpenSocial (JS) is what allows you to discover the userid, which you then pass to YOU server side script.

Our app (and many others i am sure) will run in an iframe on the Canvas surface. Ideally, the MySpace platform would append either the user id or a token that could be exchanged for the user id whenever a user clicks on the application link on their profile page.

If this is not possible, then the following process may be a work-around:

1. User clicks on application link in their profile
2. Application starts in Canvas surface, loads a js routine which makes js call to opensocial js library
3. js routine accesses "opensocial.DataRequest.PersonId.OWNER" to get user id
4. js routine creates an iframe in the Canvas surface and appends the user id to the 'src' url

This seems a bit kludgy, but is the only way I can envision iframe apps working.  Or am I missing something?

 OK, illustrate my point... make a php file on your server called get.php whose contents are:

<?print_r($_GET);?>

Upload it to your server (let's assume it's url is http://www.example.com/get.php. Now, make your myspace application code be:

<div id="output" style="width:100%;height:100%;overflow:scroll;"></div>
<script type="text/javascript">

var server_url="http://www.example.com/get.php";

function init() {
    var params = {};
    params[opensocial.ContentRequestParameters.METHOD] = opensocial.ContentRequestParameters.MethodType.GET;
    params[opensocial.ContentRequestParameters.CONTENT_TYPE] = opensocial.ContentRequestParameters.ContentType.HTML;
    params[opensocial.ContentRequestParameters.AUTHENTICATION] = opensocial.ContentRequestParameters.AuthenticationType.SIGNED;
    opensocial.Container.get().makeRequest(server_url, pageloadCallback, params);
}

function pageloadCallback(response) {              
    document.getElementById('output').innerHTML = response;
}

init();
</script>

 This shows that MySpace, via openSocial's makeRequest, will pass along the owner and viewer id! Again, this is different from FB, because when someone visits your canvas page on FB, they are visiting an FB page which then passes along the user info to your server! 

 In OpenSocial, makeRequest allows you to discover who the viewer is... since there is no pre-parsing (like FBML), and no middleman (besides for the JS that is executed!)

Most excellent! 

I tried your code (modified slightly because we are a python shop) and it worked beautifully!  The following were embedded as GET parameters when the HTTP request hit my server:

oauth_nonce '-100735'
opensocial_viewer_id 'xxx'
oauth_timestamp '34'
oauth_consumer_key 'http://www.myspace.com/xxx'
oauth_signature_method 'HMAC-SHA1'
oauth_version '1.0'
oauth_token ''
opensocial_owner_id 'xxx'
oauth_signature ''

I can definitely work with this!  This should be added to the REST API doc somewhere - it will save developers lots of time & confusion.

Thanks again,

Jonathan

Based on the OAuth spec, as much as I remember reading awhile back, there is a Token and TokenSecret. Myspace doesn't currently implement this items, but in the future I think they will.

I also think that there will be a callback mechanism once a person logs into their account so that your page will automatically get some parameters. This is a common callback scenario that I am sure myspace will implement.

Anyone from myspace able to comment on this?

-Joseph