Glad it was helpful for you guys, you're welcome.

The above code for the canvas surface used to work for me, but now all I get back in the iframe pane is a 404 pointing to: http://api.msappspace.com/apprendering/[object%20Object] I change my app to an iframe type app and it works. Any ideas?

can someone anser what the line of code below is for?

$url = strtolower('http://url.to.this/script.php');

 

thank you!

It's the URL of the PHP file the script is in. In other words, it should match what you're using as the source of your Ext. IFrame.

I'm a little confused. If my link to the authenticating script is myserver.com/authenticate.php and I want the iFrame to link to myserver.com/index.php, my code should look like this, right?

 

<?php
    $remote_signature = $_GET['oauth_signature'];
    $url = strtolower('http://myserver.com/authenticate.php');
    unset($_GET['oauth_signature']);
    ksort($_GET);
    $base_string = 'GET&'.
                   urlencode($url).'&'.
                   urlencode(http_build_query($_GET));
    $secret = 'my secret key here'.'&';
   
    $local_signature = base64_encode(hash_hmac("sha1", $base_string, $secret, TRUE));
   
    if ($remote_signature == $local_signature)
    {
        $_SESSION['authenticated']=true;
        echo "http://myserver.com/index.php";
    }
?>

The code is not properly authenticating though using the code from the OP and I can't seem to figure out why. Any ideas? 

Confirm that the IFrame src matches 'http://myserver.com/authenticate.php' exactly - that it isn't, for instance, 'http://www.myserver.com/authenticate.php'.

Confirm that '$secret' is set to the correct Security Key and that it's appending the '&'.

*Edit*
Ack! Sorry! I just took a look at the OP's code, and figured out the problem -- it's outdated. Under OS0.7, your code should look like this:

<iframe id="msiframe" name="msiframe" src="" mce_src="" height="1000" width="790" frameborder="0"></iframe>
<script type="text/javascript">
var serverURL='http://myserver.com/scripts/ms_auth.php';  // change this to your server & authentication routine

function init() {
    var params = {};
    params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;
    gadgets.io.makeRequest(serverURL, loadiframe, params);
}

function loadiframe(targetURL) { frames['msiframe'].location.href = targetURL.text; }

init();
</script>

Sorry about that - I'm so to using CrushSpot's code for Ext. Iframe type Apps, I completely forgot about the original code.

 Hello,

 I want to pass myspace user id to my application so can you tell me the way for that and in your code what the following line want to say

 

var serverURL='http://www.myserver.com/MSAuthenticate';

 

please advice.

 

Thanks

 

Nishit 

Vorun:

$url = strtolower('http://url.to.this/script.php');

Just wanted to note that there is a slight bug in this line of code, only the domain should be normalized to lowercase.  The path and file can be case sensitive. It should be:

$url = strtolower('http://url.to.this') . '/script.php';

I don't think that solves any problems currently discussed, but did want to get it out of the way.

Hmm still can't get it to work haha. I can't find anything wrong either...

 

<?php
    $remote_signature = $_GET['oauth_signature'];
    $url = strtolower('http://xxxxxxxx.xxxxxx.xx/xxxxxxxxxxxxx/authenticate.php');
    unset($_GET['oauth_signature']);
    ksort($_GET);
    $base_string = 'GET&'.
                   urlencode($url).'&'.
                   urlencode(http_build_query($_GET));
    $secret = '80............................................d&';
    
    $local_signature = base64_encode(hash_hmac("sha1", $base_string, $secret, TRUE));
    
    if ($remote_signature == $local_signature)
    {    
        session_start();
        $_SESSION['authenticated']=true;
        echo 'http://xxxxxxxx.xxxxxx.xx/xxxxxxxxxxxxx/index.php';
    }
    else
    {
        echo 'http://xxxxxxxx.xxxxxx.xx/xxxxxxxxxxxxx/index.php';
    }
?>

 

 

<iframe id="msiframe" name="msiframe" src="" height="1000" width="790" frameborder="0"></iframe>
    <script type="text/javascript">
    var serverURL='http://xxxxxxxx.xxxxxx.xx/xxxxxxxxxxxxx/authenticate.php';

    function init() {
        var params = {};
        params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;
        gadgets.io.makeRequest('http://xxxxxxxx.xxxxxx.xx/xxxxxxxxxxxxx/authenticate.php', loadiframe, params);
    }

    function loadiframe(targetURL) { frames['msiframe'].location.href = targetURL.text; }

    init();
    </script>

 

I have checked and double checked for any typos or errors and can't find anything wrong. Any ideas? 

I'm still working on this. Does my base string look right that I'm hashing?

 

 GET&

http%3A%2F%2Fxxxxxxxx.xxxxxx.xx%2Fxxxxxxxxxxxxx%2Fauthenticate.php

&oauth_consumer_key%3Dhttp%253A%252F%252F

www.myspace.com%252F366757491%26amp%3B

oauth_nonce%3D633434618289426114%26amp%3B

oauth_signature_method%3DHMAC-SHA1%26amp%3B

oauth_timestamp%3D1207865028%26amp%3B

oauth_token%3D%26amp%3Boauth_version%3D1.0%26amp%3B

opensocial_owner_id%3D55331270%26amp%3Bopensocial_viewer_id%3D55331270

 

where the x's represent the exact URL entered in the code I posted above... 

 edit: imagine those all as one line. they go off the page otherwise

Have you been able to get this code to work? I'm not having any luck either. Perhaps things have changed? Can anyone who has previously used this code chime in. Thanks, in advance

Right off, PHP 'echo' statements don't seem to come back to the makeRequest return; I replaced them with 'print' instead, and tried it out; it verified the signed makeRequest. I should note that during this test, I just dumped the 'targetURL.text' field into the inner HTML of a div, but it come back authenticated.

So it isn't possible to just use the external url anymore and still authenticate it?

When you set the iframe to an external url, myspace attaches parameters to the query string. On my side, I was planning on using crushspot's code to handle the request (using the external iframe url), create the signature on my side and compare it to oauth_signature passed in the query string. Unfortunately, I'm not having any luck making my local signature match the oauth_signature.

Additionally, with the approach of adding an iframe and making the request manually with javascript instead of just setting the external iframe url, you can't point to your loopback (127.0.0.1) for testing, which is really annoying.

Anyway, I'd rather just point the external iframe url to my test application that's running locally and still authenticate the request.

Any help would be greatly appreciated. Thanks, in advance

I found my mistake. Everything is authenticating nicely using the external iframe url.

I just wanted to share my experience with getting authentication to work.

I used the code provided by crushspot but it didn't work.  The remote signature was not matching with the local signature.

Looking at the base_string and comparing it with the one I tested on the myspace oauth tool, I realized that the '&' which is %26 was seen as 26%amp%3B on my side.  I also notice that the key values get double urlencoded, probably a mistake on myspace side.  Well in summary, seems like the code provided on the forum doesn't work for everyone.  I think the problem might be related to the urlencode part.

Here's the solution that works for me.  This works with canvas that uses IFRAME, which sends all the oauth info automatically when a user visits the canvas page.

$remote_signature = $_GET['oauth_signature'];
$url = strtolower('http://www.yoursite.com/authentication.php');
unset($_GET['oauth_signature']);

ksort($_GET);

$param_string = '';
$first = 0;
foreach ($_GET as $key => $value) {
    if ($first == 1) {
        $param_string .= '&'.$key.'='.urlencode($value);
    }
    else {
        $param_string .= $key.'='.urlencode($value);
    }
    $first = 1;
}

$base_string = 'GET&'.urlencode($url).'&'.urlencode($param_string);
$secret = $yoursecretkey.'&';


$local_signature = base64_encode(hash_hmac("sha1", $base_string, $secret, true));

if ($remote_signature == $local_signature)
echo 'success';