OpenAuthSocial or (ReallyOpenSocial)

Posted by Pelle November 4th, 2007 edit

Gabe has written a great piece Opensocial Tips of the Hat and Wags of the Finger that anyone looking at implementing OpenSocial apps should read.

Basically he says that while it’s great that there is a new api where you can write apps that work in a variety of social networks it doesn’t actually really open these social networks up. Specifically he warns:

It actually reinforces identity and social network silos by removing the pain point for developers. Before OpenSocial, developers and users were aligned in the shared pain of fragmented user networks across multiple social sites. Developers had to develop separate applications and “chase the users”, and users had to use multiple sites to meaningfully reach the full span of their real world social networks (often with a bunch of painful replication drudgery). Now, developers don’t feel nearly the same pain – “chasing the users” is not a lot easier, and I would expect the call from the developer community for portable social networks to be quieted somewhat, at least in the short term.

This is a very good point. The same way that MS made it easy to write VB apps thus achieving lock in with lots of independent developers.

So what are the alternatives. I think the actual OpenSocial API’s would be a good start, but adding support for things like OpenID and OAuth thus making it really open.

We need to think about how to open this, but obvious approaches are using OAuth instead of Google’s proprietary AuthSub on the People Data API and even on hCard formatted HTML pages.

Within the actual JavaScript API the DataRequest object could be extended to transparently handle and create OAuth tokens to delegate requests to other sites. Something like this maybe:

var req = opensocial.newExternalRequest("http://twitter.com/");
if(req.authorized()) {  // Checks if we already have an OAuth token for twitter
     req.add(req.newFetchPersonRequest(
            opensocial.DataRequest.PersonId.VIEWER),
          "followers");
} else {
	req.authenticate(); // Tells container to start OAuth authentication process to twitter

}

Again this is just an idea, but maybe it’s a start. Someone could create a rails plugin to make it dead easy to become an OpenAuthSocial container.

It seems like the basics to create an OpenSocial container would be needed would be to implement the People Data API, the Activities Data API (Just ATOM AFAIK) and the Persistance Data API.

To make it OpenAuthSocial we would need to create a OAuth Token Creation REST API. Off my head the API that it would need could be like this:

Receive a list of services supported by container identitifed by their urls

GET /oauth_services

Check if container supports twitter 200 if yes and current user has a token, 401 if yes but current user doesn’t have a token and 404 if not.

GET /oauth_services/twitter.com

starts the authentication process for creating a toke on twitter for the current user.

GET /oauth_services/twitter.com/authenticate

This simple API could easily be wrapped into a JS api. When delegating calls to the oauth service you could simply pass a header when creating the DataRequest to say which service to delegate to. This would allow the whole thing to be fairly transparent to the developer of the OpenAuthSocial gadget.

Posted November 4th, 2007 under: