sven duzont's Library tagged OpenSocial →  View Popular

Containers SHOULD carefully consider security. Containers MUST
support OAuth but SHOULD use appropriate policies to determine allowed
operations on a per-Consumer and per-user basis. Per the OAuth spec,
Containers SHOULD document how a Consumer can direct a user to a
Container web page to obtain an oauth_token for future use. Note that
this is a vector for phishing if the user is required to enter their
credentials.

Containers SHOULD support SSL connections for sensitive data as
OAuth on its own does not provide encryption or message body integrity
checking. Containers should base their security decisions on the type
of client in use; a generally available desktop client, for example,
cannot effectively protect a Consumer Secret that is installed with
each client. The security of communications with a partner service, on
the other hand, is dependent on the effectiveness of that service's
security procedures. Containers may wish to rate limit requests from
unknown clients, or require registration, in order to mitigate risk.

Containers should scope oauth_tokens as narrowly as possible (e.g.,
allow reading but not writing if a client only performs reads).