Request from Gadget Server to Game Server

The Gadget server submits a content request to the game server according to the request from the user.

Information Sent From the Gadget Server

Request Headers

Header name

Description

User-Agent

Browser information of user's mobile device

Accept-Encoding

allow communication gzip or deflate
  • A UserAgent request header from a user is directly proxied to the game server. Use this value to distinguish an iPhone from an Android mobile device.
  • Information specific to each mobile device (such as the serial number) is deleted by the Gadget server.
  • Other request headers from a user are deleted by the Gadget server.

Query Parameters

Field name

Description

opensocial_app_id

ID of this application

opensocial_viewer_id

ID of user using this application

opensocial_owner_id

ID of user who installed this application

  • Currently, opensocial_viewer_id and opensocial_owner_id contain the same value.
  • Some query parameters specified by the user are included in addition to these.

OAuth Signature Verification

The OAuth Signature, which is contained in the Authorization header, is used for verifying that the request to the game server has not been falsified. Always verify OAuth Signature to prevent a request from being received from a malicious third party that would cause an unexpected action to occur. Note that an Authorization header is not normally associated with an image file. If you want to verify the request, you must set the signed=1 query parameter.

Perform the following procedure to verify the request.

Base String Generation

Generate the Base String according to the following procedure.

1. Get the HTTP request method. (Example: GET)
2. Prepare the URL without the query parameters. (Example: http://example.com/123456789)
3. Get the protocol parameters with the realm and oauth_signature removed from the Authorization header.

Parameters Obtained from the Authorization header

Field name

Description

oauth_consumer_key

Issued when the application is registered

oauth_nonce

Unique value for each request

oauth_signature_method

Signature method (always HMAC-SHA1)

oauth_timestamp

UNIX timestamp

oauth_token

Access token

oauth_token_secret

Token secret

oauth_version

OAuth version (always 1.0)

4. Get all query parameters that were sent from the Gadget server.
5. When Content-Type is application/x-www-form-urlencoded, use a POST request to get the body parameters.
6. Combine the parameters that were obtained in steps 3 to 5 according to the specifications. The key and value, which each contain percent-encoded characters for all characters other than alphanumeric characters, plus "-", ".", "_", and "~", are concatenated using "=". The concatenated key and value pairs are sorted in alphabetical order and concatenated with "&". Note that you do not need to convert Japanese character codes to UTF-8 that are POSTed.

Base String Generation Example

Example of a request arriving at the game server

GET ?opensocial_app_id=999999&opensocial_viewer_id=12345&opensocial_owner_id=12345 HTTP/1.1
Authorization: 
OAuth realm="", 
oauth_consumer_key="abcdefghij1234567890", 
oauth_nonce="abcdefghij1234567890", 
oauth_signature="I%2BInIlnDZOUuB%2FROXjjOC%2Bi09fc%3D", 
oauth_signature_method="HMAC-SHA1", 
oauth_timestamp="1234567890", 
oauth_token="abcdefghij1234567890", 
oauth_token_secret="abcdefghij1234567890", 
oauth_version="1.0"

The Base String will be as follows. 

GET&http%3A%2F%2Fexample.com&
oauth_consumer_key%3Dabcdefghij1234567890%26
oauth_nonce%3Dabcdefghij1234567890%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1234567890%26
oauth_token%3Dabcdefghij1234567890%26
oauth_token_secret%3Dabcdefghij1234567890%26
oauth_version%3D1.0%26
opensocial_app_id%3D999999%26
opensocial_owner_id%3D12345%26
opensocial_viewer_id%3D12345

Signature Generation and Comparison

Signature is generated by signing Base String using the key string.

The key string is obtained by percent encoding Consumer Secret which was issued when the application was registered, and concatenating it with the oauth_token_secret from the Authorization header using "&". The digest value is generated by using the algorithm specified by oauth_signature_method from the Authorization header (currently, HMAC-SHA1). Signature is obtained by BASE64 encoding this value (if strings such as newline codes are added when the digest value is generated, remove them before BASE64 encoding).

You can verify a request by comparing this value with the oauth_signature from the Authorization header.

The value that is obtained from the previous example is 

I+InIlnDZOUuB/ROXjjOC+i09fc=

and the request can be verified if 

oauth_signature="I%2BInIlnDZOUuB%2FROXjjOC%2Bi09fc%3D"

from the Authorization header is the same as the URI unescaped value.

OAuth Signature verification sample code

The following sample code only checks the validity of Signature. Validity checks of timestamp and nonce must be performed separately.

Perl

  • The OAuth::Lite module used in the sample is distributed by CPAN.
  • Use OAuth::Lite module version 1.24 or later.

PHP

  • The OAuth library used in the sample is distributed by the OAuth community.

Reference Links

The OAuth Core 1.0 Protocol draft-hammer-oauth-10
OAuth Core 1.0 Revision A

Revision History

  • 03/29/2013
    • Adding Accept-Encoding description
  • 03/15/2013
    • Document migrated

 

PREVIOUS

Request from User to Gadget Server

NEXT

Request from Game Server to API Server

Mobage Developers