When MySpace opens my app's canvas page in an iframe, it passes along the "opensocial_viewer_id". I want to use that value to determine who's viewing the page, but I want to make sure the value is not tampered with because it's very easy for anyone to get the URL of the iframe and change the user id in it to fool my app into thinking that it's a different user. So, I need to verify the signature that MySpace is passing to me.
This is different from the other common case in which I'm calling MySpace. In this case, I want to verify that the request I'm getting was generated by MySpace. This is how the URL that MySpace passes to the iframe looks like:
It's obvious that MySpace is signing it and using oAuth. But I can't verify the signature. The pieces of information I'm missing are:
1. What secret key does MySpace use to sign the URL? Do they use the same consumer secret key that I use when signing requests?
2. What consumer key does MySpace use? If I send a request to MySpace, I use my Consumer Key, but what does MySpace use when they send the GET request to me?