I’m trying to understand the correct sequence of steps followed by Gmail when loading and authenticating a contextual gadget. One of the reasons (there are others) is that I want to know whether I can make the gadget manifest behind a Open ID authentication so that only authenticated users will be able to pull the gadget in to Gmail.
I haven’t seen any documentation on this anywhere.
Here’s how I think it works… (where mysite.com is an openID relying party).
User: clicks on a mail in Gmail inbox
Gmail: Load email. Retrieve gadget manifest from mysite.com/gadgets/gadget.xml
MySite: You need to be authenticated to access gadgets/gadget.xml
Gmail: Here’s the user’s OpenID
MySite: Here’s gadgets/gadget.xml
Gmail: “paints” the gadget contents on the context area of the email
Please correct me if this is wrong
Well, I think the answer to my question is here:
http://code.google.com/googleapps/marketplace/best_practices.html#gadget_sso
According to this, there’s no implicit OpenID authentication. It’s your responsibility to make it happen by using osapi.http.get.