- working on Spring Social, which is the brains behind Greenhouse (web/mobile conference app for SpringOne)
Socializing Your Applications
- why would you want to do this?
- this is where your customers are–lots of people spend a LOT of time on Facebook
- if they're there, you want to be there with them
- Facebook–over 500 million active users
- third largest country in the world
- 50% log on to Facebook on any given day
- there's even a movie about it–that says something
- Twitter — over 100 million users
- more than 190 million unique visitors monthly
- more than 65 million tweets per day
- Others: LinkedIn (80 million members), TripIt (230,000 trips planned per month)
- More: FourSquare, YouTube (2 billion videos viewed per day), MySpace, Gowalla, Google, Flickr
- how do you use this to better your application?
- really depends on the customers and applications
- don't want to make people come to you, better to interact with people where they already are
- you can have your customers tell you things about themselves and this data would be hard to get otherwise
Types of Social Integration
- widgets
- facebook xfbml/js; the "like" button
- xfbml — tag library that's interpreted on the client by javascript
- twitter @anywhere
- linkedin widgets / linkedin jsapi
- jaspi resembles xfbml
- facebook xfbml/js; the "like" button
- embedded
- facebook applications
- igoogle gadgets
- myspace applications
- rest api
- provided by virtually all social networks
- consumed by external and embedded applications
Widgets
- facebook connect
- xfbml tag on page adds the login button to any page (<fb:login-button …>Connect to Facebook</fb:login>
- demoing "find my facebook friends" functionality (<fb:multi-friend-selector …> — fbml tags that run on the server)
- twitter @anywhere offers some javascript-based widgets, e.g. follow, connect with twitter
- can also linkify and hovercard text–does this with a class to add the links and javascript handles adding links (hovercard is the thing that shows the little twitter profile boxes for users)
- twitter anywhere has great examples in their documentation
Facebook Embedded Applications
- hosted on your own servers, but look seamless when you're on facebook (look like they're part of facebook)
- can leverage widgets, REST APIs, javascript apis, etc.
- most often used for games, quizzes, surveys, etc.
Accessing Social Data with REST Social APIs
- common operations
- get user profile
- get/update status
- get list of friends
- specialized operations
- facebook: create photo album, create a note, etc.
- twitter: create/follow a list, view trends
- tripit: retrieve upcoming trips, view friends nearby
- all done with restful apis
- most support both json and xml representations
Searching Twitter RestTemplate rest = new RestTemplate(); String query = "#s2gx"; String results = rest.getForObject("http://search.twitter.com/search.json?q={query}", String.class);
- if you want to get friends on twitter, you get the user IDs back, so you have to make another call back to get info about the user based on the user id
Facebook Graph API
- interesting form of REST API
- two basic url patterns
- http://url/id-of-object-on-facebook (the object could be a person, a page, etc.)
- http://url/id/connection where connection is something like "feed" that will give you the wall posts of the ID
- if you don't have an authorization key you only get very basic info back (name, gender, country)
Securing Social Data: OAuth is the key to social data
- most social data is secured behind oauth
- authentication takes place on social provider
- consumer application given an access token to access user's profile
- this gets around having to give another application your login credentials
- also lets you revoke access for specific applications
- consumer never knows the user's social network credentials
- demo of trying to post a tweet without being authorized–throws a 401 error
- when you sign in via oauth you're signing into the originating application (e.g. facebook) and then facebook tells the application "yes, the provided the correct authentication and have given you permission to do what you told them you were going to do"
- click "connect with facebook" button from an application
- box pops up from facebook where the user logs in and grants permissions
- facebook then makes the connection and gives the application an access key
Comparing OAuth and OpenID
- openid
- primary concern is single sign-on
- shared credentials for multiple sites
- authentication takes place on your chosen openid server
- oauth
- concern is shared data
- sign into the host application
- host application then gives some other application access
- if you sign on via oauth the underlying mechanism could be openid
Versions of OAuth in Play
- OAuth 1.0: tripit
- OAuth 1.0a: twitter, linkedin, foursquare, most others
- OAuth 2: still in draft; early adoption by facebook (not quite full oauth 2) salesforce, gowalla, github, 37signals
- on target to go final by the end of the year
Signing a request: OAuth 1.0a
- construct a base string that includes …
- the http method
- the request url
- any parameters (including post/put body parameters if the content type is "application/x-www-form-urlencoded")
- encrypt the base string to create signature
- commonly hmac-sha1, signed with api secret
- could be plaintext or rsa-sha1 (if supported)
- add authorization header to request
The OAuth 2 Dance — much simpler than oauth 1
- request authorization from user
- return to consumer with the authorization code in the request
- exchange auth code and client secret for access token
- return access token to consumer for use in REST API calls
Easy Facebook OAuth
- <fb:login-button perms="email.publish_stream,offline_access">Connect to Facebook</fb:login-button>
- offline access = the application can access your facebook account at any time
- oauth 2 gives you the option to create an access token that will expire after a period of time
- oauth 2 also has a renewal token so you can renew expired tokens, but facebook doesn't support renewal tokens yet
- if you give the application the "give this app access at any time" it's really just a way to not have the access token expire
- currently access tokens expire after about an hour
- once you authorize with FB, you get a cookie back called fbs_appKey (where appKey is your application's key)
- cookie also includes the access token and user id
- if you store access tokens in your application's local database, you should store them encrypted
- once you have the access token, you make the same call to facebook but pass the access token, and then you get a lot more of the profile info from facebook
Social REST API Challenges
- signing a request for oauth 1.0(a) is difficult when using Spring's RestTemplate
- each social provider's api varies wildly
- getting a facebook access token requires parsing the cookie string
- how should various http response codes be handled?
Spring Social
- supports social integration in Spring
- born out of Greenhouse development
TwitterTemplate
- simplifies signing of OAuth 1 requests through RestTemplate
- Offers consistent API template-based API across social providers
- extends spring MVC to offer Facebook access token and user ID as controller parameters
- maps social responses to a hierarchy of social exceptions
- Spring Social can get at the actual response to a 4XX error code which you can't get if you're using RestTemplate directly
- similar to using JdbcTemplate which gives you more detail than the raw sql exceptions
- Spring Social includes TwitterTemplate to make interacting with twitter much easier
FacebookTemplate
- a bit simpler since all that's needed is the access token
- FacebookTemplate facebook = new FacebookTemplate(ACCESS_TOKEN);
- String profileId = facebook.getProfileId();
- also linkedin template and tripittemplate
Spring Social Next Steps
- expanding available operations in social templates
- more social templates for other providers
