Last week I ran into a minor issue related to my validating signed request code in the OpenSocial Dev App. A container which had been custom written against the 0.9 spec was sending OAuth messages which were not validating, even though I was certain that I had installed the correct key for the container. After some debugging, I realized that the container was sending a property named xoauth_public_key where I was expecting xoauth_signature_publickey. Consulting the spec, I was amazed to see that the parameter had changed names in this subtle way:
| OpenSocial version | Parameter name |
|---|---|
| Before 0.9 | xoauth_signature_publickey |
| 0.9 and later | xoauth_public_key |
Since there's no signal indicating which version of the spec a signed request follows, I realized that this change will likely trip up existing app developers once Shindig changes to the new system.
Finding the appropriate bug in Shindig's issue tracker, I was happy to see that both parameters will be sent by both Java and PHP Shindig for the time being (at least until we move on to whichever version comes after 0.9). This should give a reasonable window for most developers to change their code.
If you're an app developer, it's important to change your signing code as more containers begin to support OpenSocial 0.9. It's a simple change - just check for the xoauth_public_key parameter, and if it's not available, then look for xoauth_signature_publickey instead. Once 0.9 has been fully deployed, you should be able to delete the fallback (although keeping it around for a while shouldn't break anything).
