I've had some requests from different ASP.Net developers writing applications for the OpenSocial platform lately wanting to use DevDefined.OAuth to validate signed requests with a public certificate - so I've put together a little example to help get people started.

What are we trying to do?

So first of let's review how the process works and what we're trying to achieve.



Basically as a developer for the OpenSocial platform you will be writing gadgets - these gadgets are generally defined in an XML document providing information about your application and a chunk of html content which will be rendered into an IFrame to kick the application off (including javascript functions etc. to fetch remote content) - to work around spoofing issues and to avoid cross-scripting issues your gadget can use pre-canned functions in the open-social java-script library to make requests to your own services, which to the developer appear to be a direct request to their site.

Under the hood the the requests are instead made to the opensocial host platform, which acts as a proxy passing the request onto your application - at this point the platform employes OAuth (though without any 3-pronged delegate authority being established) to sign the request using a x509 Certificate (i.e. the RSA-SHA1 signature method) at which point it calls your application with the signed request and passed on response back to the calling gadget.

The main goals in signing the request (in so far as I can tell) are to ensure it hasn't been tampered with, spoofed and provide a Nonce and timestamp so you can void replay attacks - something that using SSL alone would not prevent.

Because a lot of the mechanics of OAuth itself is being circumnavigated, it's much simpler to verify the signature is valid.

Gadget XML

Right - onto the code - Let's take a look at the Gadget XML first:


Basically the XML for the gadget is a chunk of metadata and finally some actual content for the gadget itself - notice that it regsters a handler to run on load of the gadget, and that it's then making a request to the url http://demo.devdefined.com/Friendster/SocialService.aspx and render the response in the inner HTML of the container div DOM element.

The key to this being an OAuth signed request is the 5^th line of the makeRequest function:

    params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;

So far so good - uploading your application is pretty easy - but is generally platform specific - if you wanted to try this out on Friendster then just head to http://www.friendster.com/developer/ click on the OpenSocial tab and follow the instructions - the approach is to save your gadget definition as an XML file somewhere, then publish that XML document on the web and then create an application in your open social host of choice and direct th it to the XML files location.  It takes all of a minute to do.

ASP.Net Application (Provider)

Now for the application itself - first off you need to locate and download the provided public key (certificate) for the social platform host and either store it on the filesystem or in the case of this demo we'll just store it as a string, like so:

It's worth noting that the certificates can be changed at any time - but fair warning will be given (according to the document) - and that the location (url) of the certificate is actually included as a parameter in the requests the host makes to your application (xoauth_signature_publickey) - so it's fairly trivial to implement a caching scheme to automatically pull down and update the certificate if it has changed.

Now that we have the certificate we just need to validate the request, in this cause I'm just going to check it's been signed - I've left validating timestamps and nonces out of the example, as these tend to be propritary to the app your building, but both are easy to implement.

The process is basically using the OAuthContextBuilder class to construct a context (which is used to calculate a signature base) from the current pages request.  It then constructs a signer (used for signing requests and checking their signatures i.e. validation) and a signing context, which is used to provide additional information to the signer, such as the public key of the friendster certificate.

We then invoke ValidateSignature to ensure the signature is valid - if not we throw an exception.

Finally if an OAuthException is thrown we catch it and render it's report to response stream and close it - this provides diagnostic information as per the OAuth problem reporting extension.

Hope this has been useful to some people out there - BTW I'm no OpenSocial expert, so please direct general OpenSocial questions to the apropriate google groups, I can only help with OAuth library questions.

Problems with Friendster Requests

As a side note - for anyone who's tried writing an OpenSocial application using DevDefined.OAuth to validate request signatures they may have found it didn't work! This was a result of Friendster appending an ampersand (&) to the end of the query string on the Url, which was causing the signature base to be incorrect (I'm not sure if this is an issue for other OpenSocial implementations) - The code now checks for this and removes it if discovered - and signature validation works as expected.

You may recall a few months back I released an OAuth library for .Net (which can be found here on google code) - at the time of writing that library the only other OAuth "solution" for .Net developers was a C# file containing some simple helper functions, that didn't even produce valid results in many cases, and the rather basic implementation as part of the restful chess/myspace example.

Well the guys at Madgex in the UK have now released their own OAuth.Net library.. for more details you can:

• Check out Bruce Boughton's post on their initial release.
• Get some more details on the Madgex lab page here.
• And of course grab the code from here.

As for differences between the two implementations... from a 50K foot glance.

• There's a dependency on the Windsor container when using the Madgex library (if you want to use it's out the box implementation / configuration examples etc.)
  
• The Madgex library includes a http module for making a provider implementation easier when building web apps.
• The madgex library appears to take a harder dependency on HttpRequest then the DevDefined library (but that's just a hunch, saw it in a few interface definitions, rather then some wrapper equivalent).
  
• The madgex library looks a little more polished (i.e. xml docs) and has a configuration section.
• The Madgex library features some niceities like Sliding window validation support (i.e. they only allow messages to be supplied where the timestamp falls within a certain time window of the server, and keep the list of previous nonces only for the period of that window - flushing nonces that are not longer required via a background thread - saving on the volume of nonces to record i.e. for replay attacks).  Of course it's an in-memory solution, so not suited to farms, but still cool.
  
• Slightly less fluent consumer implementation, I prefer my libraries consumer implementation, but of course that's just me :P
• Both libraries are under the MIT license.
  

All said and done it's a very sound effort, great work guys! And it's awesome to have some choice emerging in this space.

DevDefined Ltd. have been working with Screen Architect Ltd and Catch Limited to produce a UI Prototyping add-in for Enterprise Architect (EA) - and we are pleased to see that they made their first public release, with the product now on sale from their website.

For anyone who uses Enterprise Architect, and already does UI modeling within EA, or UI prototyping with another application (or wishes to) - then why not take a look at the Screen Architect’s flagship Add-in (there's a 30 day trial available).

Changes in the wind...

I'm looking at expanding my operation (Dev Defined Limited) - after having come to the conclusion that I can't support my current client base, and certainly can't offer them enough business continuity should I be put out of action - short of taking key man insurance out on myself ;o) - I need to start growing.

At any rate I've decided to do a few things:

1. Start engaging old clients (and finding new clients) to queue up more work beyond my capacity.
   
2. Taking on additional staff to both do that work, and transfer knowledge about existing clients and solutions.

Which brings me to the point of this post, I'm going to be looking for a couple of additional development staff (both senior).

So if you're a flexible senior developer, with a strong .Net background who wants to help build a development shop up, and is looking for opportunities to stretch their legs and play with some new and interesting technologies (instead of just reading about them on blogs) then why not drop me a line?

Our projects cover a wide variety of areas, looking back over the past 8 months some of the more interesting bits of work have been:

• A client server system for audio identification, using WCF, Base4.Net with a Monorail based web front-end.
• Rich message processing system for Seismic Technologies, a large solution that included a rich winforms based remote configuration interface, integrated IronPython scripting, heavy use of dependency injection, WSE 3.0 and IoC.
  
• Library for media transformations (designed to plug-in to the SyzmkRMP product, but also for other users) - including an Audio/Video encoding library that wraps up DirectShow.Net which was open-sourced as the Splicer project on codeplex.
  

Starting package would be $85K + 5 weeks holiday, Pay review after 6 months.

And on the flip-side of that coin, I'm looking for additional project/product development work to take on board, so if you have a project that you think would benefit from our unique set of skills and experience and a team of developers with a focus on innovative solutions, drop us an email.