I was pretty excited to hear about Google trying to set a standard for social network applications. I wasn’t so happy to notice a serious omission in the way security is handled.
Executive Summary: no user authentication! Any user can forge anybody else’s identity when interacting with any OpenSocial application. As it currently stands, it is not possible to write secure social applications on the platform.
For example, with any messaging application, anybody could message another user’s friends and it will seem like the latter did it. Or they could post embarrassing material and it would look like someone else posted it. Or they could read any information that is supposed to be shown only to the application user, such as private notes.
How FaceBook does user authentication: Facebook provides a secret key to the application developer. This key is stored on the server-side of the application and is never transmitted on the wire. Facebook signs the security sensitive headers of the request, including the user ID. The application can verify the signature using the shared secret key.
This is a relatively standard way of performing authentication and Facebook gets it right.
How this could be implemented in OpenSocial: A solution can be constructed by use of authentication namespaces, secret key exchange and signatures. A user ID would be a URL of the form: https://orkut.com/container/people/12345 where https://orkut.com/container/ is the namespace and 12345 is the user ID. The application XML descriptor would include a callback URL.
The callback would happen in two stages: first the container hits the callback URL to inform the application that a new container-to-application binding is requested for the container https://orkut.com/container/ and provide a one-time key. The application would then hit https://orkut.com/container/bind and pass back the one-time key and the application URL. The container would return the shared secret. The application could also hit the bind URL without a one-time key in case the shared secret was lost to ask that the exchange be repeated.