This article has moved

Shouldn't the viewer ID also be authenticated?

Why shouldn't the certificate be at a well known place? It can be validated because it is signed by a trusted CA, or it can be behind an HTTPS URL.

Viewer will be sent if the app has permission to access the viewer object (i.e. viewer has the app installed).

The cert may eventually be moved to a https url. When the plan for releasing certs is finalized, then we will post updated information.

This page says we shouldn't inline the Orkut public key but use a key cache instead. I couldn't find a PHP key cache or something similar, so I rolled my own Poor Man's PHP Key Cache. I hope this might be helpful to someone.

I think this page should explain what it tries to solve.

I can see what it does, but I'd like to know why it needs doing it.

What use can one have of it..?

What is the use case..?

Cheers

For Ruby on Rails application you can use following step to validate orkut signed request:

1. Install oauth gem.

2. oauth gem has a bug which needs to patched by http://oauth-ruby.googlegroups.com/web/fixes_for_rsa_and_action_controller_request_proxy.patch. This patch is not available in the latest release, so I have used following steps to fix it:

1. copy oauth/signature/rsa/sha1.rb to <rail app root>/lib/patch_sha1.rb
2. copy oauth/request_proxy/action_controller_request.rb to <rail app root>/lib/patch_action_controller_request.rb
3. edit <rail app root>/lib/patch_sha1.rb and <rail app root>/lib/patch_action_controller_request.rb based on the patch.

3.Once this is done then use following code to verify the signature:

  
  require 'oauth/consumer' 
  require 'patch_action_controller_request'
  require 'patch_sha1'
  require 'openssl'
  #this method shld be in the controller as it use request method
  def verify
    #I have save the orkut cert in the public/cert folder.
    #change it based on ur install
    cert_file  = "#{RAILS_ROOT}/public/cert/cert.pem"     
    cert = OpenSSL::X509::Certificate.new( File.read(cert_file) )
    public_key = OpenSSL::PKey::RSA.new(cert.public_key)
    req = OAuth::RequestProxy::ActionControllerRequest.new(request)
    cus = OAuth::Consumer.new('orkut.com',public_key)
    sign = OAuth::Signature::RSA::SHA1.new(req, {:consumer => cus})
    sign.verify
  end

Is there any asp.net sample code available

Is there any asp.net sample code available?

hi nitin, are there any further information of using your rails example?

it doesn't work for my app. sign.verify always returns false.

greetings, florian.

Also looking for ASP.Net 2.0 samples. :)

hi people. any ideas about c#.Net?

Was anyone able to get the java example to work without getting the OAuthProblemException-->signature_invalid?

does anyone have an example for validating igoogle requests with python?

htafolla:

I believe iGoogle and orkut share the same public key. In that case, you can use the Python code here to validate the request:

http://code.google.com/apis/opensocial/articles/appengine-0.8.html#signing

You'll need a couple of additional libraries which are linked to in the text.

Hi Nitin and Florian did you make it work with the oauth gem? I'm trying with the patch but sign.verify always return false as Florian said.

It doesn't work on JAVA! I always get an OAuthProblemException-->signature_invalid...

Is there any error on the example? Am I doing something wrong? Or is there any problem on the component?

Please, help...

I had to debug a similar issue. It turns out that the HttpServletRequest? method which returns the request URL was not including the port number. As a result, the routine was signing the wrong URL and comparing this signature to the one included in the request.

I updated the snippet at http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests with my workaround -- building the request URL "by hand."

Anyone can help me with oauth server side code in php

Post your questions in the OpenSocial? API discussion group: http://groups.google.com/group/opensocial-api/topics