Sunday

Gadgets aplciation with PHP and Shindig server

Shindig - an Apache incubator project for OpenSocial and gadgets

What is Shindig?

Shindig is a new project in the Apache Software Foundation incubator and is an open source implementation of the OpenSocial specification and gadgets specification.

The architectural components of Shindig can be broken down as follows:

  • Gadget Container JavaScript -- core JavaScript foundation for general gadget functionality. This JavaScript manages security, communication, UI layout, and feature extensions, such as the OpenSocial API.
  • Gadget Server -- used to render the gadget XML into JavaScript and HTML for the container to expose via the container JavaScript.
  • OpenSocial Container JavaScript -- JavaScript environment that sits on top of the Gadget Container JavaScript and provides OpenSocial specific functionality (profiles, friends, activities, datastore).
  • OpenSocial Data Server -- an implementation of the server interface to container-specific information, including the OpenSocial REST APIs, with clear extension points so others can connect it to their own backends.

Gadgets are web-based software components based on HTML, CSS, and JavaScript. They allow developers to easily write useful web applications that work anywhere on the web without modification. They are defined using a declarative XML syntax that is processed by a gadget server into a format that allows them to be embedded into various contexts: standalone web pages, web applications, even other gadgets. A context into which a gadget is embedded is called a gadget container. The container is responsible for managing the gadgets' layout and controls, as well as for supporting various functionality on behalf of the gadget. A gadget may be a simple widget, a reusable component, or a full-blown application, possibly utilizing or communicating with other gadgets.

A gadget and its XML are synonymous. The gadget XML contains all information needed to identify and render a web application.

Metadata. Several pieces of metadata are specified by the gadget developer in the gadget XML, such as author information, gadget title, and description. This data gives hints to the gadget container on how to identify it, in addition to providing data to gadget directories, which are databases that help users find gadgets useful for their needs

Gadget Features. A list of all gadget features that are either required for the gadget to operate, or may optionally be utilized if available. Gadget features are the primary extensibility mechanism employed by gadgets. They often direct a gadget server to make new JavaScript APIs available to rendering code, but may also manipulate the gadget's contents, for example to add extended syntax. Examples of gadget features include OpenSocial (provides gadgets with a rich set of social APIs), dynamic-height (enables gadgets to resize themselves to an appropriate height), and tabs (a UI library facilitating tabular navigation).

User Preferences. These are key/value pairs that form the basis of gadget configuration and persistence. They are most often manipulable by users of the gadget, and are persisted on behalf of a user so that the gadget has access to them across multiple rendering requests. The gadget container is typically responsible for providing their persistence for this data and an interface to edit it.

Message Bundles. Message bundles allow developers to internationalize their gadgets simply by adding name/message mappings corresponding to whatever languages the developer chooses to support. These messages may be accessed programmatically through the core JavaScript APIs provided to all gadgets, or may be statically substituted into code using simple syntax.

Content. Provides the actual HTML, CSS, and JavaScript to be rendered by the gadget. Two delivery mechanisms are supported:

  1. Type HTML gadgets are the most prevalent, and are imbued with the most rich feature set. Code is provided directly in the gadget XML content section for rendering and control flow. This code simply assumes that functionality is available that has been requested from whatever gadget features were declared. In the case of optional-declared features, a simple feature-existence API can and should be consulted to ensure the capability is enabled. The code is processed by a gadget server and rendered in an IFRAME.
  2. Type URL gadgets only specify a base URL. A standard set of parameters are added to this URL by the gadget server, which renders the gadget in an IFRAME. The application to which the URL points must include a referenced JavaScript library using a tag as it renders, to enable gadget APIs to be made available. Type URL gadgets can't take advantage of all features, notably features that manipulate HTML and JavaScript code directly. However, this gadget type has proven highly useful for turning existing web sites or applications into gadgets.

Multiple Content sections may be specified in gadget XML. Each is labeled with one or more optional view identifiers, which allow the gadget to behave or appear differently depending on the context in which it's rendered. This context is provided by the gadget container.

This document describes the gadget XML syntax and how it is processed by a compliant gadget server. In addition, it describes the core JavaScript APIs that must be made available to every gadget as it is rendered. While compliance can be attained by supporting only these core APIs, doing so severely limits a gadget server's usefulness. Gadget servers should support as many features as possible. Widely used, highly recommended features are listed at the end of this document.

Compliance: Gadget Server

To be gadgets-compliant, a server must be able to satisfy a Gadget Rendering Request and a JavaScript Request in the manner described. The server should be able to satisfy the Gadget Metadata Request in the manner described.

Gadget Rendering Request

The core gadget API, this translates gadget XML into content that can be rendered in a browser, typically in an IFRAME.

Inputs:

  • Gadget XML, typically specified as a URL pointing to a file on the web.
  • User prefs.
  • Locale of the end user.
  • (optional) IgnoreCache processing option.
  • (optional) Module ID, an integer identifier for the gadget in a given container context. If not provided, this defaults top 0.

Outputs:

  • HTML, CSS, and JavaScript.

Process:

  1. Fetch the gadget XML.
    1. This SHOULD consult a cache to minimize load on the gadget XML hosting server. The specific properties of caching are left to the implementation.
    2. The server may honor HTTP caching headers to provide developers with a way to balance the load their servers receive against the frequency with which they can reliably deploy updated content.
    3. The server SHOULD honor an IgnoreCache processing option. This causes all built-in spec caches to be ignored, fetching the spec directly from its canonical resource. This feature is very useful while developing a gadget.
      1. HTTP-based request servers SHOULD support this via a URL parameter named nocache.
      2. The server MAY implement denial-of-service protection limiting the number fetches for a spec in a given period of time, as a courtesy to developers.
  2. Parse the gadget XML.
    1. The XML MUST conform to the extended gadget spec XSD . This XSD represents all valid elements and attributes accepted by the legacy iGoogle gadget server (gmodules.com). However, some of these fields will be phased out. The canonical gadget spec XSD contains the subset of attributes that must be parsed and interpreted by the server. In other words, the parser MUST NOT reject gadget specs conforming to the extended spec, yet need not interpret more than the canonical spec.
  3. Identify the Locale object corresponding to the request, and fetch messages specified by it.
    1. The element is selected from the gadget XML by matching to the declared language and/or country. If an element matches both, use it. Otherwise select a language-only match over a country-only match. If no such match exists and an element is defined without language or country attributes defined, use it.
    2. Load the message bundle specified in the matched element, if any.
      1. If the message attribute is specified, use it: load the bundle from the network using the provided URL.
      2. Otherwise use the element that is a child of , if present
  4. Substitute "hangman variables" into supported gadget spec fields. Hangman variables are of the form _____, and are replaced with string values. There are four types of hangman variables, which are defined as follows.
    1. Process message bundle into __MSG_foo__ hangman variables.
      1. The bundle MUST conform to the message bundle XSD.
      2. For each message named foo with value bar, hangman expansion __MSG_foo__ = bar.
    2. For each provided User Pref with key foo and value bar, hangman expansion __UP_foo__ = bar.
    3. Hangman expansion __MODULE_ID__ = .
      1. HTTP-based request servers SHOULD use the URL parameter named mid for this.
    4. If a message bundle was found with language_direction = "rtl" , hangman expansions __BIDI_START_EDGE__ = "right", __BIDI_END_EDGE__ = "left", __BIDI_DIR__ = "rtl", __BIDI_REVERSE_DIR__ = "ltr". Otherwise __BIDI_START_EDGE__ = "left", __BIDI_END_EDGE__ = "right", __BIDI_DIR__ = "ltr", __BIDI_REVERSE_DIR__ = "rtl".
    5. Perform substitutions of each hangman expansion on all fields which get displayed to users. This currently includes, but is not limited to, the following fields:
      1. Module.ModulePrefs attributes, Module.Content@href, Module.Content, UserPref@display_name, UserPref@default_value, and UserPref.EnumValue@display_value
  5. Process gadget features, specified as or in the gadget XML.
    1. If one or more unsupported features are specified in a block, the server MUST emit a standard error message indicating that it cannot satisfy the rendering request.
      1. The message SHOULD list all requested features that could not be used because the container does not support them.
      2. The message MAY provide contact information for the gadget server administrator, along with a mechanism to request adding support for the feature.
    2. The server MUST support the following core JavaScript API, which applies to features:

      gadgets.util.hasFeature(featureName)

      As indicated in the JsDoc, this method returns true if the server is able to satisfy featureName, false otherwise. Gadget developers can use this functionality to enhance their gadgets if features are available without disabling their gadget if the features are missing.
    3. The server MUST conform to the requirements specified by each requested feature in order to claim support for it. The particulars of this vary per feature, but include injecting JavaScript APIs into rendered output or the type URL-included libraries and manipulating type HTML content to support extended syntax.
  6. Output gadget content.
    1. For type HTML gadgets, the order is as follows:
      1. Standard HTML header, opening tag and tag. information is optional. Gadgets run in browser quirks mode.
      2. Core gadgets JavaScript libraries, as specified here.
      3. Feature library initialization code, if needed.
      4. Processed gadget content, the result of steps #4 and possibly #5.
      5. A single call to gadgets.util.runOnLoadHandlers();
      6. Standard HTML closing tags.
    2. For type URL gadgets, the provided URL MUST have the following parameters added to it:
      1. up_= for each provided user preference.
      2. lang= and country=, from the provided request Locale.
      3. libs=, where is a comma-separated list of URL path fragments relative to the server's JavaScript request handler path. These fragments are added to the JS path by the type URL target to load gadget API JavaScript into its execution context.
        1. The server SHOULD consolidate all libs into a single request to minimize the number of HTTP requests made by the client browser.

Gadget Metadata Request

This API tells a gadget container how to render a gadget on a page, and gives it the container-side JavaScript it needs to support the gadget's features.

Context (container-side JavaScript):

It is often the case that the gadget container's support is required to satisfy gadget API requests due to the browser security model. For example, the dynamic-height feature allows a gadget to request that it be resized to fit its contents, particularly when it is in an IFRAME. Most often, the gadget is rendered on a different domain than its container, so it cannot modify the height itself. Rather, it makes an inter-domain procedure call to its container requesting that it be resized. This communication occurs through the core gadgets.rpc.* APIs, which use browser-specific techniques to pass messages between frames on different domains located in the same browser context. The container needs to be able to receive this request and respond accordingly - this is the function of the container-side JavaScript.

Sanitized Gadget Content Note:

Rather than a Gadget Rendering Request URL, the Gadget Metadata Request API may return a version of the gadget output sanitized for security. The Caja project provides this sanitization by rewriting HTML, CSS, and JavaScript through static analysis techniques to preclude unsafe DOM or cookie access to the gadget content, while maintaining expressiveness nearly equivalent to content running simply inside an IFRAME. This functionality is still experimental, however, so is not included in the core spec at this time.

Inputs:

  • Same as for the Gadget Rendering Request.

Outputs:

  • URL to a Gadget Rendering Request for the requested gadget.
  • Reference(s) to container JavaScript needed to satisfy needed gadget API requests.

Process:

  1. Load and parse gadget XML as described in Gadget Rendering Request steps #1 and #2.
  2. Process gadget features, specified as or in the gadget XML.
    1. Emit an error message if a required feature is not supported.
    2. Otherwise, for each requested, supported feature with container-side JavaScript, enqueue this JavaScript to return to the client.
  3. Construct URL to the corresponding Gadget Rendering Request, generated as follows:
    1. Initialize URL using a static prefix.
    2. Add parameter url=, where is URL of the requested gadget spec.
    3. Add user prefs parameters as described in Gadget Rendering Request 6.ii.a.
    4. Add locale parameters as described in Gadget Rendering Request 6.ii.b.
  4. Return the enqueued container-side JavaScript and Gadget Rendering Request URL.

JavaScript Request

In order to satisfy type URL gadgets' JavaScript library loading requests, a server MUST provide an HTTP service for retrieving core and feature-linked JavaScript.

Input:

  • Fixed path, computed by a static base URL combined with a path fragment as described in Gadget Rendering Request part 6.ii.c.

Output:

  • JavaScript code corresponding to the API(s) required by the type URL gadget.

Core JavaScript API

All core APIs MUST be provided by the server in such a way as to conform to the Gadgets API Reference. Gadget developers should not have to request any of these features, as the container should provide them all automatically.

File JsDoc
prefs.js Documentation
io.js Documentation
json.js Documentation
util.js Documentation

Highly Recommended Features

The vast majority of gadgets include one or more features. The more features a gadget server supports, the more gadgets it supports. Thus, each gadget server strongly SHOULD support as many such features as possible, especially the following features that have high usage rates. Each supplies a JavaScript API to be made available to the gadget. Features are listed with their name(s) and their associated API:

Feature File JsDoc
tabs tabs.js Documentation
minimessage minimessage.js Documentation
flash flash.js Documentation
rpc rpc.js Documentation
views views.js Documentation
skins skins.js Documentation
dynamic-height dynamic-height.js Documentation
settitle settitle.js Documentation

Overview

OpenSocial is a set of APIs for building social applications that run on the web. OpenSocial's goal is to make more apps available to more users, by providing a common API that can be used in many different contexts. Developers can create applications, using standard JavaScript and HTML, that run on social websites that have implemented the OpenSocial APIs. These websites, known as OpenSocial containers, allow developers to access their social information; in return they receive a large suite of applications for their users.

The OpenSocial APIs expose methods for accessing information about people, their friends, and their data, within the context of a container. This means that when running an application on Orkut, you'll be interacting with your Orkut friends, while running the same application on MySpace lets you interact with your MySpace friends. For more information on the types of information exposed by the OpenSocial API, see the Key concepts section.

This document describes the concepts and principles behind the OpenSocial JavaScript APIs. It is a complement to the JavaScript API Reference, which covers the details of specific methods and parameters. This document does not describe any particular implementation of the API.

Compliance

So what does it mean to be an OpenSocial container? In a practical sense, it means that a site can run any application built on the OpenSocial APIs. This implies a number of things:

  1. The container must implement all methods in the JavaScript API Reference.

    Methods may return the error code opensocial.ResponseItem.NOT_IMPLEMENTED for a specific method if the container does not support a specific request. No additional public methods or classes may be put on the OpenSocial namespace at any level. The required methods and fields are defined in the following JavaScript files:

  2. The container must only use the specified extensibility mechanisms for any container-specific extensions.

    Extra person, activity or other object fields should be defined in an enum under the container's namespace, and the environment should allow applications to discover these fields. For example, if the field orkut.PersonField.SPECIAL_FIELD is defined as "orkut.specialPersonField", then opensocial.getEnvironment().supportsField("person", "orkut.specialPersonField")opensocial.getEnvironment().supportsField(opensocial.Environment.ObjectType.PERSON, orkut.PersonField.SPECIAL_FIELD) should both return true. and

    Any extra data request types should be available with a namespaced call like myspace.newFetchAlbumRequest. The gadget would then use batchRequest.add(myspace.newFetchAlbumRequest(...)).

    Any extra objects may be added to the container's own namespace. These objects can be returned from person.getField or other similar requests.

  3. The container must satisfy the Gadgets API Specification.

    In short, this requires handling three types of requests: the Gadget Rendering Request, the Gadget Metadata Request, and the JavaScript Request.

    For the JavaScript APIs, you must implement the gadgets core JavaScript API, as per the documentation.

  4. The container must support the RESTful API Specification.

    Containers must provide both JSON and AtomPub represenatations of data. OpenSocial uses HTTP GET to retrieve, PUT to update in place, POST to create new, and DELETE to remove. POST operates on collections and creates new activities, persons, or app data within those collections.

Background

The rest of this document provides background information only and is not part of the OpenSocial specification. OpenSocial container compliance is determined solely based on the previous section, Compliance.

Key concepts

Social applications revolve around people and their relationships. OpenSocial provides a standard way for websites to expose their social graph and more. Seeing the activities of other people helps you stay up to date with your friends, and allows everything from resumes to videos to spread virally through the graph. OpenSocial also provides a way for application data to persist on a social networking site, as well as specifying the different ways that an application can be viewed within an OpenSocial container. Finally, OpenSocial defines an API through which users of web services, mobile devices, and desktop applications may interact with social data

People

It's people! Social graphs are made out of people! People are a fundamental part of social networking software and the OpenSocial API. The Person object provides access to a user's information. Part of this information is stored in the user's profile and, depending on the site, can include anything from "favorite TV shows" to "5 things you'll find in my bedroom." The other important user information is the set of connections they have in the social graph and this is covered in the Relationships section.

There are two Person objects that can be requested directly—the VIEWER and the OWNER. To understand the distinction, imagine you're checking out a coworker's profile on Orkut. In this case, you are the VIEWER and your coworker is the OWNER. It's also common to view your own profile, in which case you are both the VIEWER and the OWNER, and some applications may choose to handle this case differently. OpenSocial also provides for the case of anonymous viewing, where the gadget will not be able to access the VIEWER's information.

The API Reference contains more detailed information about the Person class.

A note about user IDs

One of the pieces of data that is always returned with a Person object is the user's ID. The user ID must be alphanumeric (A-Za-z0-9) and must uniquely identify the user in a container. This standardization is intended to allow for prefixing IDs with a domain name and separator to create globally unique IDs (e.g. "orkut.com:34KJDCSKJN2HHF0DW20394"). Note that there will likely be a size limit placed on user IDs to help manage storing IDs in a database.

Relationships

The ability to create relationships is what turns a multi-user application into social software. Being able to share information and interact with friends changes the dynamic of user experience—you're engaging with people, not software.

There are two representations of sets of people available to OpenSocial—VIEWER_FRIENDS and OWNER_FRIENDS. In the case where you're checking out a coworker's profile, requesting VIEWER_FRIENDS will return the set of users that are friends with you, while requesting OWNER_FRIENDS will return the set of users that are friends with your coworker. Logically, if you're viewing your own profile, VIEWER_FRIENDS and OWNER_FRIENDS will be the same set of users. Also, if the container support anonymous profile browsing, then the application won't be able to access the set of VIEWER_FRIENDS.

Note that OpenSocial makes no assumptions about the relationship between VIEWER and OWNER. The VIEWER and OWNER could be friends, but if you're looking at a stranger's profile, there's no relationship between you, the VIEWER, and them, the OWNER.

When an application wants to interact with or display data for "friends of friends", the OpenSocial specification supports extending a query for VIEWER_FRIENDS or OWNER_FRIENDS by a NETWORK_DISTANCE parameter. Containers can optionally support "friends of friends" queries, "friends of friends of friends" queries, and so on.

Activities

Since we can't be online all the time, it helps to have a record of what our friends have been up to, so long as your friends want to share that record. Seeing how other people are interacting with a social application also allows you to learn new features and uses of the application, so activity streams are one of the major drivers for organic growth of applications.

OpenSocial exposes activity streams, which are a collection of actions a user has taken in the context of a given container. These activities can include interaction with the container itself, such as updating your profile or installing a new gadget, or interaction with an OpenSocial application, such as sending your friend a virtual gift or setting a new high score in a game.

Activity templates allow application developers to define messages with placeholders for pieces of applicaton or user data. This separation of data and presentation allows multiple activities to be combined into activity summaries—consolidated bundles of activities that let users know what their friends are up to without having to wade through a flood of messages.

The API Reference contains more detailed information about the Activity class.

Persistence

Applications can provide a richer user experience if they can save their state between sessions. OpenSocial defines a data store that applications can use to read and write user-specific data. This data store can be read by anyone who can see the gadget, but only the VIEWER's user-scoped data is writable.

Clearly this free data store could be abused, so containers may implement quotas or rate limits to preserve their disk space. However, OpenSocial does not currently define these policies.

The keys that developers specify to index this data must only contain alphanumeric (A-Za-z0-9) characters, underscore(_), dot(.) or dash(-).

Since application data is often created based on user inputs, OpenSocial containers perform automatic HTML escaping of all application data. However, developers have the option of turning off this escaping by setting the escapeType parameter on newFetchPersonAppData and getFieldPersistence section of the OpenSocial Developer's Guide for more details. calls. See the

Views

Containers can support several different locations where gadgets may be rendered. Such locations are formally called views (formerly Surfaces in earlier versions of the API). All gadgets (not just OpenSocial applications) have become view-aware. A gadget can ask which view it is currently being rendered on, as well as what views the container supports.

Containers may define their own views, but the specification defines the following standard views in the gadgets.views.ViewType object:

  • Profile - A gadget on the profile view is rendered alongside other applications in the user's profile, so it will be smaller and can't support passing URL parameters from the container to the gadget.
  • Canvas - A gadget in the canvas view is rendered by itself, so it will have lots of real estate and URL parameters passed to the container page can be forwarded to the gadget.
  • Home - A gadget in the home view is rendered on a private "homepage" where the OWNER is always the same person as the VIEWER. There may be multiple gadgets present in this view.
  • Preview - A gadget in the preview view does not have access to either the OWNER or VIEWER objects. This view is intended to provide "test drive" functionality so that gadgets can demonstrate functionality for potential users

In addition to requesting data about the current view, gadgets may also request that the container navigate the user to another view. Imagine a news gadget that normally runs in a small profile view that changes to a full canvas view if the user clicks on a headline to get more information. Gadgets can choose the best rendering context for their current state.

When navigating to another view, a gadget may also request a change in OWNER. For example, imagine an application that places a survey on the user's profile view. This application may want to provide links to the user's friends' profiles, so that the user can see which surveys his or her friends are currently displaying.

Containers can also specify a template that applications can use to generate URLs to a specific application canvas and user. Such URLs can be shared via activity updates and printed on external websites, so linking to applications from external sources is easy.

Lifecycle events

Certain types of events may occur during the lifecycle of a gadget that are desirable yet difficult for developers to track. Such events include installs, uninstalls, rate limiting, directory listing changes, and blacklist/whitelist notifications. The gadget specification allows developers to specify URLs that the container will POST event data to when certain events are triggered.

By tracking the data POSTed to the specified URL, gadget developers can accurately track number of installs, remove database entries upon uninstall, and get automatic notifications if their gadget exceeds a quota or is marked as spam by the container. A container may optionally support sending lifecycle events to an application developer's site by sending relevant query parameters to a URL endpoint. To receive these events, you can place one or more Link tags in your application's XML. Each Link tag has a rel and href attribute. The href attribute denotes the endpoint where event pings are sent. If the rel attribute is "opensocialevent", then all events are sent to that endpoint. If the rel attribute matches "opensocialevent.TYPE", then events of TYPE are sent to that endpoint. An optional method attribute can be set to POST or GET to specify how the request should be sent. The default is GET.

Here are some examples:





The following query parameter will always be sent to the endpoint:

eventtype - the event type

Note that these requests will always be signed by the container, and your server should check that the signature is valid by using the OAuth algorithm for signature verification.

Most events will have information about one or more OpenSocial ID values. These id values are passed as one or more id attributes. Note that a single ping may aggregate a number of events by specifying many id values.

The following event types are defined. Container custom events should be designated with a domain name prefix to avoid namespace collisions.

Event Description
addapp id attribute identifies users who have installed the app.
from attribute designates how the user added this app. Values are "invite", "gallery", "external". Optional.
removeapp id attribute identifies users who have removed the app.
app action attribute designates the action performed on the app. Values are "enabled", "disabled", and "approved".
reason attribute identifies the reason for the action. Values are "policy", "quota", "maintenance". Optional.
invite id attribute indicates users who have been invited.
from_id attribute indicates the user who sent the invitation.

RESTful API

When is an OpenSocial application not just a gadget? When it has a backend server that talks directly to the container, of course! The OpenSocial RESTful API specification defines a way for servers, mobile devices, and desktop computers to interact with an OpenSocial container without requiring JavaScript or direct user interaction. Applications can update activities, send messages, and fetch OpenSocial data in the background using either an AtomPub or JSON REST service.

API Patterns

This section describes several common patterns in the OpenSocial API. Understanding these concepts should help you wade through the API Reference.

Making Requests

The OpenSocial API queries the container asynchronously for most of its calls, which is why most OpenSocial methods don't directly return data, but rather allow you to specify a callback that will be executed when the server's response is ready. Of course, making lots of asynchronous requests isn't always ideal, so the API allows for batch requests to allow developers to ask for many pieces of information at once. A developer can create an opensocial.DataRequest and add several individual request objects to it. Upon receiving the DataRequest, the container can process each request optimally and return the results of each operation as a batched result object. Containers must preserve the semantics of executing requests in serial order, though. A request that contains a write and then a read must return the newly written data, while a request that contains a read and then a write must return the data that was present before the write took place.

Capabilities Discovery

The gadgets and OpenSocial specifications determine the common APIs that all containers will support, but there are cases where a certain method or a profile field will be offered as an extension in some containers. To help developers write gadgets that can take advantage of these extensions, yet degrade gracefully in their absence, these APIs include gadgets.util.hasFeature and opensocial.Environment.supportsField methods to query the container at runtime and determine which features are available.

Of course, OpenSocial has compliance rules that must be adhered to by containers wishing to extend the API.

Action Requests and Permissions

There are cases where a gadget may wish to perform an action that needs approval by the user or mediation by the container. OpenSocial supports "request" features that allow the container to decide how to handle the interaction with the user. Functions like opensocial.requestCreateActivity, and opensocial.requestPermission allow the container to inject its own policy decisions into the gadget execution flow and notify the gadget of the result. Under this specification, it is equally valid for a container to defer to the user, always approve, always deny, or use any other method to determine responses to request calls. Additionally, this allows the container to enforce UI flows in a safe and integrated way.

Profile fields

User profiles are different from container to container. On consumer-oriented containers, applications may be interested in a user's idea of a perfect first date, but this may not be appropriate for business-oriented containers. This is why OpenSocial allows containers to extend Person objects with arbitrary fields—to match the feel and uses of each container site. Profile fields are therefore obtained through Person.getField calls rather than having hardcoded getters and setters for each property. See the Compliance and Capabilities discovery sections for more information about how containers can add additional data to the API, and how applications can determine which fields are available for use.

Fetching content from remote servers

Gadgets can use the gadgets.io.makeRequest method to pull HTML, JSON, and ATOM data from remote servers.

The gadgets.io.makeRequest call can also be used to pass data from gadgets back to application servers in a way that cannot be spoofed. The container is expected to mediate communications from the gadget to the application server (e.g. ilike.com). Therefore trusted content fetching has two main steps: [1] the gadget contacts the container, and [2] the container contacts the application server.

  1. When the gadget contacts the container, the container needs to be able to validate any parameters it knows about: the viewer id, the owner id (if known), and the application id. Validating these parameters is an implementation detail that may vary between containers. For example, Orkut uses an encrypted token passed in the document fragment of the gadget URL.
  2. When the container contacts the app server, the app server needs to be able to validate that the parameters really came from the container (and were not forged by some other entity). OpenSocial uses OAuth's parameter signing algorithm Note that most of the functionality in the OAuth spec, including token exchange, is not required; OpenSocial only plans to use the parameter signing piece of the spec (including timestamp and nonce). OpenSocial permits the HMAC-SHA1 method (except that the key is a shared secret between container and app, not a concatenation of tokens as specified in section 9.2 of the OAuth spec) and the RSA-SHA1 method. HMAC-SHA1 is faster and easier to implement, but it requires more coordination than RSA-SHA1.

If a user needs to fetch data from a protected resource, the makeRequest call supports full OAuth authentication via a container proxy. Gadgets can now access protected web services without requiring the user to share their password with the gadget, allowing for sophisticated and secure integration with web APIs that support OAuth.

Caching

When gadgets call makeRequest, the calls may be cached. This is great for reducing the load that your servers have to be able to handle, since OpenSocial applications may have millions of users, each requesting data from your server. However, this caching of makeRequest calls can wind up displaying old data to users if the content returned by your server changes often.

If you expect the content at the URL you are fetching to change frequently, you may want to work around the automatic caching with a more finely grained method. You can define a refreshInterval parameter, which should be specified as the number of seconds that should elapse before the makeRequest call requests content from your servers again. For example, specifying 10 will mean that the container would only query the supplied URL once every 10 seconds, no matter how many people are using the application. Specifying 0 will query the server each time the function is called, effectively bypassing the cached version.

Using the API reference

The JavaScript API reference is a complete listing of the methods and fields that OpenSocial requires, but some conventions are not immediately understandable. This section will explain some of the assumptions used in generating the API reference.

Virtual typing

JavaScript is not strongly typed, but in order to make the developer experience consistent, the APIs are defined as if JavaScript supported strongly typed data. Cases where a parameter or return value are defined as a certain type in the documentation indicate that this is the only type that can be provided or accepted for OpenSocial compatibility. Any exceptions to this rule will be directly documented in the reference.

As an example, the getErrorCode method is defined in the JavaScript API reference as returning a value of the type opensocial.ResponseItem.Error, although in practice this value will be a normal JavaScript string. However, developers can be assured that in a compliant container, the string returned is one of the opensocial.ResponseItem.Error fields.

Enumerations figure heavily into the OpenSocial API. Developers are permitted to reference an enum or use the enum's value directly. To avoid collisions related to extensibility, containers must ensure that the names and values for an enum match the ones defined in the spec and that custom values are namespaced appropriately. For example, an Orkut custom field named MY_PERSON_FIELD could have a name of Orkut.PersonField.MY_PERSON_FIELD and a value of "Orkut.myPersonField". See the Compliance and Capabilities discovery sections for more information.

Parameter maps

Many of the OpenSocial methods have a large number of optional parameters. JavaScript's lack of strong typing makes overloading difficult at best, and having functions with a large amount of parameters can be difficult to manage (especially for developers not using a nice IDE). OpenSocial uses the "object bag" approach to optional parameters—many methods take an additional opt_params parameter that takes the form of a map of parameter names to their corresponding values.

For each method which uses an opt_params map the spec defines all of the valid fields that will be read out of the map by the container. These fields have defined types as discussed in the Virtual typing section. If a developer adds an invalid value for a field in the map the container should return the BAD_REQUEST error code.


courtsy: apache.org and goole.com
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Python Kafka

  Developing Microservices with Python, REST API, Nginx, and Kafka (End-to-End) Here's a step-by-step guide to developing microservices...