OpenSocial's Signed Request is a mechanism that attaches a signature to external communication requests from a gadget, making it possible to verify that the parameter contents have not been tampered with. Generally, the names 2-legged OAuth, Signed Request, and OAuth Consumer Request are all the same, and they represent this.

The implementation itself is not difficult at all, but since there don't seem to be many easy-to-use libraries available, I decided to make one. I'll release it as a beta first.

Features #

This uses the OAuth library from Google Code. Public keys for orkut, Google, Friendster, hi5, hyves, Netlog, goo home, and mixi are included.

How to use #

Check it out on Google Code.

svn checkout http://opensocial-signed-request-php-library.googlecode.com/svn/trunk/ opensocial-signed-request-php-library-read-only

The contents include a sample gadget (SignedRequest.xml), a sample server-side implementation (example.php), and a library.

The easiest way to understand this is to look at the sample Server-side implementation, but it's simple to use. Just create a new SignedRequestValidator with the gadget URL as an argument and call the validate_request method. If signature verification fails, it will automatically return 401. You can write the code for when signature verification is successful after that.

Reference #

As far as I know, there are several people who have published code or libraries for verifying signed requests in other languages.

  • Google AppEngine Python version: Works on Django gaeoauth
  • Google AppEngine Python version: Works on code
  • Works at the Apache module level mod_auth_opensocial

summary #

Although it is a beta release, I don't think there are any operational issues. However, the current code will allow requests from both Google and Mixi if the gadget URL matches, so I would like to get feedback and decide whether it would be better to make it possible to specify the URL arbitrarily.

*By the way, oauth_body_hash is not supported.

So, please give it a try.