We talked about a couple of announcments, including the Prism V2 Drop 1, and it's multi-targeting support for Silverlight/WPF (Something we've talked about for a while since WPF & WPF/E first emerged) - we did cover some of the other announcments in
this post as well.

After that we ended up with quite a general discussion on what makes adopting unit testing (and test driven) practices difficult and how mocking/stubbing/AAA etc. fits in.  Interesting side-topics included the idea of teaching test driven development as the very first part of a first-year programming paper at university, behaviour driven development / specs etc.

We had another new comer this week - Guy - who gave us some perspective on how shops still focusing on C/C++ work - as always it's great to have newcomers coming along and contributing to the conversation.

Guy was Albany based, which raised the question again of if we need to have the odd Architecture chat over on the shore - my only concern is that we'd probably loose half of our existing attendees, so unless I got interest for a good 4 or 5 people on the shore It's
probably not worth bothering with - and we'd need a location that's not too noisy (we abandoned our original location in Ellerslie for that very reason).

Apologies for the late post - I have been experiencing a lot of issues since  moving to Orcons LLU (that'll teach me for hosting this blog and wiki on-site :)

Write-ups of previous Architecture Chats can be found on the wiki here.

Architecture Chat Tomorrow (Thursday) 25^th September 2008 at 11:30am, Garrisons, Sylvia Park, Auckland, New Zealand.

Some ideas for topics:

• Gallio - interoperable testing tools.
• What are the barriers to unit testing - why is still "so hard" for so many?
• Stack overflow public beta and impressions after having used it for 3 or so weeks.
• Prism V2 Drop 1.
• BDUF & DUF (Big Design Up Front and Design Up Front)
• Iron Python Beta 5
• ASP.Net Dynamic Language support
• Arrays considered somewhat harmful
• Android 1.0 SDK Released.
• C# Eval in Mono (see Miguel's posts here as well as the CharpRepl page here.

All are welcome - and for new comers directions can be found on the wiki.

If anyone has any other topics please leave a comment on this post or flick me an email, or of course just bring along your questions/topics on the day - otherwise I'll see you all there tomorrow.

Short writeup for the last architecture chat - we had 7 (or was it 8) attending the 11th September 2008 chat - including a couple of intergenites who made the arduous journey over the bridge (always nice to see some new faces!).

Topics of discussion included:

• Teched 2008 NZ
• Lack of developers in New Zealand, and problems/opportunities with current graduates emerging from various institutes.
• Working for Microsoft, the buy-up of blogging talent.
• The push to improve the profile of bloggers in NZ.
• Bloggers Dinner, Scott Hanselman etc.
• Google chrome.
• PDC 2008.
• Managed Extensibility Framework, what it is/is not - though I don't think of any us are quite sure yet - perhaps Hammet needs to do some videos? ;o)
• Generic Natural Language DSL's and interesting ideas like Intellisense for a Natural Language DSL's (I found this interesting, not sure anyone else did...)

It was a bit rambling so by the end of it I think most of us were not really sure just what we'd talked about.

As per usual previous write-ups can be found here on the wiki.  There's also a group on
LinkedIn for those who have attended in the past (or plan to attend in the future? perhaps) so you can connect with other participants.

The next chat is this Thursday - 25th September - I'll post a reminder tomorrow - and if anyone has any topic suggestions please email or leave a comment on this post.

I've had some requests from different ASP.Net developers writing
applications for the OpenSocial platform
lately wanting to use DevDefined.OAuth
to validate signed requests with a public certificate - so I've put
together a little example to help get people started.

What are we trying to do?

So first of let's review how the process works and what we're
trying to achieve.




alt="OAuthOpenSocialRequestFlow.PNG" border="1" height="112" widthsrc="692" />



Basically as a developer for the OpenSocial platform you will be
writing gadgets - these gadgets are generally defined in an XML
document providing information about your application and a chunk
of html content which will be rendered into an IFrame to kick the
application off (including javascript functions etc. to fetch
remote content) - to work around spoofing issues and to avoid
cross-scripting issues your gadget can use pre-canned functions in
the open-social java-script library to make requests to your own
services, which to the developer appear to be a direct request to
their site.



Under the hood the the requests are instead made to the opensocial
host platform, which acts as a proxy passing the request onto your
application - at this point the platform employes OAuth (though
without any 3-pronged delegate authority being established) to sign
the request using a x509 Certificate (i.e. the RSA-SHA1 signature
method) at which point it calls your application with the signed
request and passed on response back to the calling gadget.



The main goals in signing the request (in so far as I can tell) are
to ensure it hasn't been tampered with, spoofed and provide a Nonce
and timestamp so you can void replay attacks - something that using
SSL alone would not prevent.



Because a lot of the mechanics of OAuth itself is being
circumnavigated, it's much simpler to verify the signature is
valid.

Gadget XML

Right - onto the code - Let's take a look at the Gadget XML
first:

  

    

    

    

    

    

  

  

    
    

    


  ]]>

  

Basically the XML for the gadget is a chunk of metadata and finally
some actual content for the gadget itself - notice that it regsters
a handler to run on load of the gadget, and that it's then making a
request to the url
http://demo.devdefined.com/Friendster/SocialService.aspx and
render the response in the inner HTML of the container div DOM
element.



The key to this being an OAuth signed request is the 5^th
line of the makeRequest function:

   
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;

So far so good - uploading your application is pretty easy - but
is generally platform specific - if you wanted to try this out on
Friendster then just head to http://www.friendster.com/developer/
click on the OpenSocial tab and follow the instructions - the
approach is to save your gadget definition as an XML file
somewhere, then publish that XML document on the web and then
create an application in your open social host of choice and
direct th it to the XML files location.  It takes all of a
minute to do.

ASP.Net Application (Provider)

Now for the application itself - first off you need to locate and
download the provided public key (certificate) for the social
platform host and either store it on the filesystem or in the
case of this demo we'll just store it as a string, like so:

public class OpenSocialCertificates

{

    private const string _friendsterCertificate =

@"-----BEGIN CERTIFICATE-----

MIIB2TCCAYOgAwIBAgIBADANBgkqhkiG9w0BAQUFADAvMQswCQYDVQQGEwJVUzEL

MAkGA1UECBMCQ0ExEzARBgNVBAoTCkZyaWVuZHN0ZXIwHhcNMDgwODEzMTgwMzQ5

WhcNMTQwMjAzMTgwMzQ5WjAvMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzAR

BgNVBAoTCkZyaWVuZHN0ZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAyVjnX2Hr

SLTyAuh2f2/OSRWkLFo3+q+l0Czb48v24Me6CsoexkPgwLOjXmPn/Pt8WtwlisQP

tZ9RX30iymg0owIDAQABo4GJMIGGMB0GA1UdDgQWBBQlDiW+HfExpSnvWqM5a1JD

C+IMyTBXBgNVHSMEUDBOgBQlDiW+HfExpSnvWqM5a1JDC+IMyaEzpDEwLzELMAkG

A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQKEwpGcmllbmRzdGVyggEAMAwG

A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADQQCXFtEZswNcPcOTT78oeTuslgmu

0shaZB0PAjA3I89OJZBI7SknIwDxj56kNZpEo6Rhf3uilpj44gkJFecSYnG2

-----END CERTIFICATE-----";
    public static X509Certificate2 FriendsterCertificate

    {

      get { return new X509Certificate2(Encoding.ASCII.GetBytes(_friendsterCertificate)); }

    }

}

It's worth noting that the certificates can be changed at any
time - but fair warning will be given (according to the document)
- and that the location (url) of the certificate is actually
included as a parameter in the requests the host makes to your
application (xoauth_signature_publickey) - so it's fairly
trivial to implement a caching scheme to automatically pull down
and update the certificate if it has changed.

Now that we have the certificate we just need to validate the
request, in this cause I'm just going to check it's been signed -
I've left validating timestamps and nonces out of the example, as
these tend to be propritary to the app your building, but both
are easy to implement.

public partial class SocialService : Page

{

    protected void Page_Load(object sender, EventArgs e)

    {

        ValidateWithDevDefinedOAuth();
        // now handle the request...

    }
    private void ValidateWithDevDefinedOAuth()

    {

        try

        {

            OAuthContext context = new OAuthContextBuilder().FromHttpRequest(Request);

            var signer = new OAuthContextSigner();

            var signingContext = new SigningContext {Algorithm = OpenSocialCertificates.FriendsterCertificate.PublicKey.Key};
            if (!signer.ValidateSignature(context, signingContext))

            {

                throw new OAuthException(context, OAuthProblems.SignatureInvalid, "check certificate is still valid");

            }

        }

        catch (OAuthException authEx)

        {

            Response.Clear();

            Response.Write(authEx.Report.ToString());

            Response.End();

        }

    }

}

The process is basically using the OAuthContextBuilder
class to construct a context (which is used to calculate a
signature base) from the current pages request.  It then
constructs a signer (used for signing requests and checking their
signatures i.e. validation) and a signing context, which is used
to provide additional information to the signer, such as the
public key of the friendster certificate.

We then invoke ValidateSignature to ensure the signature
is valid - if not we throw an exception.

Finally if an OAuthException is thrown we catch it and render
it's report to response stream and close it - this provides
diagnostic information as per the OAuth problem
reporting extension.

Hope this has been useful to some people out there - BTW I'm no
OpenSocial expert, so please direct general OpenSocial questions
to the apropriate google groups, I can only help with OAuth
library questions.

Problems with Friendster Requests

As a side note - for anyone who's tried writing an OpenSocial
application using DevDefined.OAuth to validate request signatures
they may have found it didn't work! This was a result of
Friendster appending an ampersand (&) to the end of the query
string on the Url, which was causing the signature base to be
incorrect (I'm not sure if this is an issue for other OpenSocial
implementations) - The code now checks for this and removes it if
discovered - and signature validation works as expected.

Architecture chat tomorrow, Thursday - 11^th September @
11:30am onwards.



Some possible topics / things that have caught my eye lately:

• Google Chrome - V8's great,
  flash works but our "anywhere" platform silverlight wont, and
  apparently not until chrome gains market share... hmmm.
  
  
• TechEd Roundup - including the infamous keynote.
  
• Teched Bloggers Dinner report and related "NZ blogging push"
  for the next year.
  
• C# Library for controlling EC2 Instances (via David)
  
• Generic Natural Language DSL (via ayende)
  
  
• Managed Extensibility Framework (MEF) Preview 2 vs. Mono.Addins.
  
  
• Resharper
  4.1 released.
  
  
• Spec/BDD frameworks (MSpec,
  StoryQ etc.)
  
• Monorail in the Cloud.
  

See you all there!



P.S. Information regarding the location and previous chat write-ups
can be found here.