J’écrivais ce message à un ami, à propos de mon expérience sur le site xkcd.com.

BD de xkcd

Donc…

• Je vois le dernier xkcd.
• Ça me fait réagir.
• Je veux répondre.
• Je sais qu’il y a des forums pour accompagner ces bande dessinées.
• Je vais sur le forum lié à celui-ci (déjà quelques clics et il fallait que je connaisse l’existence de tout ça).
• J’appuie sur Post Reply
• Ça me demande de m’identifier.
• Comme je crois avoir déjà envoyé quelque-chose là, je me branche avec mon username habituel.
• Ah, mauvais mdp.
• Je fais “forget pw”.
• Oups! J’avais pas de compte avec mon adresse gmail (faut que ça soit la bonne combinaison donc, si je me rappelle pas de mon username, ça marche pas).
• Je me crée un nouveau profil.
• Le captcha est illisible, ça me prend plusieurs tentatives.
• Faut que j’aille sur mon compte gmail activer mon compte sur les forums xkcd.
• Une fois que c’est fait, je me retrouve à la page d’accueil des forums (pas à la page où j’essaie d’envoyer ma réponse).
• Je retrouve la page que je voulais.
• J’appuie sur Post Reply.
• J’écris ma réponse et je l’envoie.
• Évidemment, mon profil est vierge.
• Je vais modifier ça.
• Ça commence par mon numéro ICQ?? Eh bé!
• Plus bas, je vois des champs pour Website et Interests. Je remplis ça rapidement, en pensant au plus générique.
• Il y a aussi ma date de fête. Pas moyen de contrôler qui la voit, etc. Je l’ajoute pas.
• J’enregistre les autres modifications.
• Et j’essaie de changer mon avatar.
• Il y a pas de bouton pour uploader.
• Ça passe par une Gallery, mais il y a rien dedans.
• Je laisse tomber, même si je sais bien que les geeks de xkcd sont du genre à rire de toi si t’as un profil générique.
• Je quitte le site un peu frustré, sans vraiment avoir l’impression que je vais pouvoir commencer une conversation là-dessus.

Deuxième scénario.

J’arrive sur un site qui supporte Disqus (par exemple Mashable).

• Je peux envoyer un commentaire en tant que guest.

You are commenting as a Guest. Optional: Login below.

Donc, si je veux seulement laisser un commentaire anonyme, c’est tout ce que j’ai à faire. «Merci, bonsoir!»

Même sans me brancher, je peux faire des choses avec les commentaires déjà présents (Like, Reply).

Mais je peux aussi me brancher avec mes profils Disqus, Facebook (avec Facebook Connect), ou Twitter (avec OAuth). Dans chaque cas, si je suis déjà branché sur ce compte dans mon browser, j’ai juste à cliquer pour autoriser l’accès. Même si je suis pas déjà branché, je peux m’identifier directement sur chaque site.

Après l’identification, je reviens tout de suite à la page où j’étais. Mon avatar s’affiche mais je peux le changer. Je peux aussi changer mon username, mais il est déjà inscrit. Mon avatar et mon nom sont liés à un profil assez complet, qui inclut mes derniers commentaires sur des sites qui supportent Disqus.

Sur le site où je commente, il y a une petite boîte avec un résumé de mon profil qui inclut un décompte des commentaires, le nombre de commentaires que j’ai indiqué comme “likes” et des points que j’ai acquis.

Je peux envoyer mon commentaire sur Twitter et sur Facebook en même temps. Je peux décider de recevoir des notices par courriel ou de m’abonner au RSS. Je vois tout de suite quel compte j’utilise (Post as…) et je peux changer de compte si je veux (personnel et pro, par exemple). Une fois que j’envoie mon commentaire, les autres visiteurs du site peuvent voir plus d’infos sur moi en passant avec la souris au-dessus de mon avatar et ils peuvent cliquer et avoir un dialogue modal avec un résumé de mon compte. Ce résumé mène évidemment sur le profil complet. Depuis le profil complet, les gens peuvent suivre mes commentaires ou explorer divers aspects de ma vie en-ligne.

Suite à mon commentaire, les gens peuvent aussi me répondre directement, de façon anonyme ou identifiée.

J’ai donc un profil riche en deux clics, avec beaucoup de flexibilité. Il y a donc un contexte personnel à mon commentaire.

L’aspect social est intéressant. Mon commentaire est identifié par mon profil et je suis identifié par mes commentaires. D’ailleurs, la plupart des avatars sur Mashable sont des vraies photos (ou des avatars génériques) alors que sur le forum xkcd, c’est surtout des avatars «conceptuels».

Ce que xkcd propose est plus proche du “in-group”. Les initiés ont déjà leurs comptes. Ils sont “in the know”. Ils ont certaines habitudes. Leurs signatures sont reconnaissables. L’auteur de la bd connaît probablement leurs profils de ses «vrais fans». Ces gens peuvent citer à peu près tout ce qui a été envoyé sur le site. D’ailleurs, ils comprennent toutes les blagues de la bd, ils ont les références nécessaires pour savoir de quoi l’auteur parle, que ça soit de mathématiques ou de science-fiction. Ils sont les premiers à envoyer des commentaires parce qu’ils savent à quel moment une nouvelle bd est envoyée. En fait, aller regarder une bd xkcd, ça fait partie de leur routine. Ils sont morts de rire à l’idée que certains ne savent pas encore que les vraies blagues xkcd sont dans les alt-text. Ils se font des inside-jokes en tout genre et se connaissent entre eux.

En ce sens, ils forment une «communauté». C’est un groupe ouvert mais il y a plusieurs processus d’exclusion qui sont en action à tout moment. Pour être accepté dans ce genre de groupe, faut faire sa place.

Les sites qui utilisent Disqus ont une toute autre structure. N’importe qui peut commenter n’importe quoi, même de façon anonyme. Ceux qui ne sont pas anonymes utilisent un profil consolidé, qui dit «voici ma persona de web social» (s’ils en ont plusieurs, ils présentent le masque qu’ils veulent présenter). En envoyant un commentaire sur Mashable, par exemple, ils ne s’impliquent pas vraiment. Ils construisent surtout leurs identités, regroupent leurs idées sur divers sujets. Ça se rapproche malgré tout de la notion de self-branding qui préoccupe tant des gens comme Isabelle Lopez, même si les réactions sont fortes contre l’idée de “branding”, dans la sphère du web social montréalaisn (la YulMob). Les conversations entre utilisateurs peuvent avoir lieu à travers divers sites. «Ah oui, je me rappelle d’elle sur tel autre blogue, je la suis déjà sur Twitter…». Il n’y a pas d’allégeance spécifique au site.

Bien sûr, il peut bien y avoir des initiées sur un site particulier. Surtout si les gens commencent à se connaître et qu’ils répondent aux commentaires de l’un et de l’autre. En fait, il peut même y avoir une petite «cabale» qui décide de prendre possession des commentaires sur certains sites. Mais, contrairement à xkcd (ou 4chan!), ça se passe en plein jour, mis en évidence. C’est plus “mainstream”.

Ok, je divague peut-être un peu. Mais ça me remet dans le bain, avant de faire mes présentations Yul- et IdentityCamp.

Over fifty million users entrust their professional identities and relationships with LinkedIn, helping build LinkedIn into the largest global professional network today. However, professionals around the world use a wide variety of applications and Web sites to get their work done, and they have spoken loud and clear that they want the ability to leverage their professional networks wherever they work.

Starting today, developers worldwide can integrate LinkedIn into their business applications and Web sites. Developer.linkedin.com is now live and open for business.

The evolution of the LinkedIn Platform

Over the past months, LinkedIn has supported integrations with some of the most prominent and critical software applications in the enterprise. Partnerships with companies like IBM, Blackberry (Research in Motion), and most recently Microsoft, have given us time to invest in both functionality and scalability of the platform.

S

oftware is moving to the cloud, and business applications need context for who people are and how they are related. LinkedIn now is the obvious choice as a provider for those services. It is hard to imagine a business application that would not benefit from LinkedIn integration.”

– Roger Neal, SVP/GM at BusinessWeek Digital, McGraw-Hill

At LinkedIn, we have always believed that business applications are better when they are built over a platform of professional reputation and relationships. In real life, our most valuable professional assets are the skills and experience we acquire and the trusted relationships we build. It’s not surprising that business software becomes more productive and valuable when it is built over these services.

How can I start developing for the LinkedIn Platform today?

Registering as a LinkedIn developer is as simple as filling out a form on developer.linkedin.com. The LinkedIn platform leverages the open OAuth standard to make integrations from almost any language and development environment as simple as possible.

W

hat a breath of fresh air. We were able to go to http://developer.linkedin.com, request a key, and actually write functioning code in less than 15 minutes. It’s amazing to have access to such a powerful platform on tap at any time.”

– Iain Dodsworth, Founder and CEO of TweetDeck

A number of developers who have helped provide us with feedback and guidance in our development will be announcing integrations in the coming weeks. For example, TweetDeck is announcing full support for the LinkedIn platform in its next version. Now you can easily view or take action on your LinkedIn network updates from within TweetDeck, with the full integration of the LinkedIn profile information of the person who posted the update.

This is the beginning of a new set of opportunities for the LinkedIn platform, and we look forward to seeing the integrations that developers will launch in the coming weeks and months.

Stay tuned for additional enhancements over during the coming months as we learn and grow this platform together.

The Internet is based on open data, based on open standards and open specifications to enable conversations.

For the web, the conversation has turned from open source to the data and markup behind it. Data is becoming as important as source. An open web needs open data coming from open specifications. Three major specifications have been created, all from different backgrounds – OpenID, OAuth, and OpenSocial. They share a lot of the same goals and views, but have been created ad hoc with no overarching community that transcends the projects.

David Recordon announces the start of the Open Web Foundation. Modeled after the Apache Software Foundation, the Open Web Foundation’s goal is to do for specifications what open source has done in its arena, building open community for incubation, licensing, copyright. Impressive support for the Open Web Foundation has come from companies such as Yahoo, Facebook, Plaxo and many more who want to continue to build the web on open standards.

IT Conversations | O’Reilly Media Open Source Conference | David Recordon (Free Podcast)

MP3 audio

I don’t often get this excited but it has been a very exciting day so far!

Today we launched the live public BETA of our Twitter Sales Leads tool set within WeCanDo.Biz.  The buzz that this seems to have created had far exceeded our expectations which is fantastic.

What has really excited me though are the sheer number of people using the tool in its BETA form and writing some wonderful things about it:

“Just checked it out and i have to say its brilliant, you simply add keywords and it lists all twitter posts that are related to or contain your chosen keywords” (G. Lasagne, UK Business Forums)

“Software that does this for me will be a huge from me” (Adventurelife, UK Business Forums)

I could go cite many more but what these guys are saying totally vindicates the work we have been doing.  Thank you

The reason we have done this is to add to the core purpose of WeCanDo.BIZ, the ability to find real sales leads via people’s published Biz Needs and take them straight  into WeCanDoCRM Social CRM

We think this is pretty cool and we hope you do too.  We would very much appreciate your help in testing our new tool and hope you take a look . New users to WeCanDo.BIZ are able to sign straight in using their Twitter identity through Twitter OAuth so there is not even the often messy and time-consuming registration process that many sites still use.

————————————————————————————————-

We have made the  Twitter Sales Leads tool available to our Business and Pro Networker members to enable them to see how the final version will work.  We are due to release that final version next week.

BETA means it is still in test and not all features are yet there: missing is the ability to create a sales leads in WeCanDoCRM Social CRM to track the progress of the Twitter sales leads you find.

As it stands though, the BETA version is locating prospective customers for your products and services on Twitter by searching on your company keywords (as entered when you added your Business profile).

>> TRY IT OUT FREE HERE! <<
:: :: :: :: :: :: :: :: :: :: ::

Today we released 2 major enhancements that will help you pull yourself together with threadsy even more.

Additional email address support with IMAP
As of today, you can add any email address that supports IMAP to threadsy. IMAP is the standard protocol for reading your email online from any computer.

So in addition to Gmail, Yahoo, Hotmail, and AOL, you can now check your school, work, and other email addresses directly in threadsy. If you don’t know if your email accounts support IMAP, check with your email provider.



How to add an IMAP account
If you’re an existing threadsy user, go to ‘settings’ and in the email accounts tab, type your full email address and password and click ‘add’.

threadsy will try to add your email address automatically, but if it fails to recognize it, you’ll see this:

Click ‘yes’ and then you’ll see the IMAP settings page. threadsy puts in some default settings for you to try. If these don’t work, you’ll need to type in the proper settings. Ask your email service provider for the right settings.

Twitter Oauth support
As many of you requested, today we added support for twitter’s recommended Oauth access. Oauth is twitter’s secure method of signing into your account that doesn’t require threadsy to store your twitter passwords. An added benefit is improved stability with threadsy – no more annoying login popups like some of you’ve experienced.



Switching to Twitter Oauth (existing users only)
All existing threadsy users will be required to reauthorize their Twitter accounts the next time they log in to threadsy. You must reauthorize each twitter account you previously added to threadsy. If you choose not to reauthorize an account, it will be removed from threadsy. You can always add it back in ’settings’



Also: improved settings
New today, an extensive overhaul to the threadsy settings page to make it much easier to use. Now it’s divided into 3 sections: email accounts, social network accounts (Facebook and Twitter), and general. Note that we’ve moved the sound on/off control to the general tab.

We’ve also rolled out these changes to the sign up, so when you invite your friends to threadsy, it will be even easier for them to ‘pull themselves together.’ And yes, invite friends feature coming soon!

A beta version of the next Confluence release is out. And guess what — it’s got gadgets. This is pretty cool, so I’m jumping the gun and telling you about it right now.

It’s still just a beta release: Confluence 3.1 Open Beta. The announcement is on the Atlassian News Blog, along with an invitation to try it out. So I got myself a copy and put some gadgets onto a wiki page.

Now, the gadgets I chose are perhaps not the most useful. The most usual business case would be to add gadgets published by other Atlassian applications. For example, you might want to add a gadget that displays some information from another Confluence site or from  JIRA, Bamboo, FishEye or Crucible. (Those are other applications developed by Atlassian, the company I work for.)

But for me, the fun bit is that I can add the gadget that I created and blogged about 8 months ago.

The same 2 gadgets in 3 different applications

Here’s a screenshot of a Confluence wiki page with two gadgets. One is mine, displaying an up-to-date list of recent blog posts about technical writing from WordPress.com. The other gadget was created by Donna, our support diva, showing recent entries in a Jive discussion forum. (Click the image to enlarge it.)

Gadgets on Confluence wiki pages - oh, and in JIRA and iGoogle

Here are the same two gadgets on my iGoogle page:

Gadgets on Confluence wiki pages - oh, and in JIRA and iGoogle

And here they are in JIRA:

Gadgets on Confluence wiki pages - oh, and in JIRA and iGoogle

How do you add a gadget to a Confluence page?

Your Confluence page can display two types of gadgets:

• Internal — These are gadgets published by the same Confluence site as where they are displayed. Typically such a gadget would display information sourced from the Confluence site, such as an activity stream or a search function.
• External — These are gadgets published by another Confluence site, or a JIRA site, or even something totally different like Remember the Milk, a hamster in a wheel or a pet monkey.

If your gadget is external, the Confluence administrator needs to add the gadget to the list of available gadgets before you can add it to your Confluence page. This needs to happen only once for each gadget.

To make an external gadget available in your Confluence site:

1. Log in as a Confluence administrator.
2. Go to ‘Confluence Admin‘ and click ‘External Gadgets‘ in the left-hand navigation panel.
3. Paste the URL of your gadget into the field labelled ‘Gadget Specification URL‘. The URL should point to the XML file that describes the gadget.

For example, take a look at the URLs for the two gadgets in my screenshots above. The URL for the WordPress gadget is:

http://hosting.gmodules.com/ig/gadgets/file/117695765658379330528/
WordPress-dot-comRSSFeed.xml

And the URL for the Jive forums gadget is:

http://confluence.atlassian.com/download/attachments/203394872/forums.xml

Friendly warning: I’m just using my gadget as an example here. It’s a total hack, so please don’t insert it into any Confluence sites that matter! You’ll get all sorts of weird display problems, plus potential security issues too.

To add a gadget (external or internal) to a Confluence page:

1. Create a new page or edit an existing page.
2. Put your cursor in the edit box where you want the gadget displayed.
3. Click the ‘Insert/Edit Macro‘ icon  in the toolbar.
4. You’ll see the ‘Select Macro’ popup window. Enter some text into the search box at top right, to find the gadget you want.
   
5. Click the gadget you want. You’ll see a preview of the gadget. Most gadgets also offer you some options to configure the gadget, such as width of the display, background colour, etc.
   
6. Change the settings if you like, then click ‘Insert‘.
7. Save the Confluence page.

Extra authorisation step (OAuth)

Some gadgets require extra authorisation, to reassure the publishing server that it’s OK to send its data to the server where the gadget is displayed. Gadgets use an authorisation protocol called OAuth. There are two parts to the authorisation, one performed by the administrator and one by the person adding the gadget to or viewing the gadget on the page.

1. The administrator needs to set up the OAuth relationship between the gadget publishing server (called the provider) and the displaying server (called the consumer). This authorisation step needs to happen only once for each site. Once you’ve authorised one server to send information to another server, then you can add multiple gadgets from that server. For example, let’s say you want to display JIRA gadgets on a Confluence page. Your JIRA server needs to trust your Confluence server. So you’ll need to add Confluence as an OAuth consumer in JIRA. To do this, you will give JIRA the URL of your Confluence server. The instructions are in the JIRA documentation.
2. When you add a gadget to a page, you will need to authorise the display of information under the authority of your user ID. Similarly, every user who views the page will need to authorise the display of the information under their user ID.  The authorisation lasts for a while (a week or so, unless you revoke it). The gadget will display a ‘Log In and Approve‘ button. When you click the button, you will go to the login page of the site concerned. Log in and then approve the gadget’s access to the server’s information. Now you’ll see the gadget information displayed. There’s a full write-up in the Gadgets documentation.

Phew, I’m glad we’ve got that out of the way!

Would you like to try it yourself?

The Confluence 3.1 beta release is out, so you can hack away. If you’re very brave, you could even write your own gadget and put it on a Confluence page!

and we like it!

OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications, as stated on the OAuth web site.

Why do we like OAuth?

1. It is simple.  Most of the bad security implementations are done by people with good intentions and low skill.  Understanding the issues involved greatly improves the changes of making the right choices.
2. It solves a real hard problem: giving access to your stuff without sharing your identity.
3. Plays well with others.  OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites.

OAuth helps delegating rights to a process acting as you, without losing privacy or compromising security.  And the specification is short and possible to understand.  Replacing shared secrets is a really good idea.  Replacing hardcoded application-based passwords is an even better idea.  Replacing spoofing of user by logging in as root/admin and then emulating the actual user is a great idea.  And all of this may be done by OAuth.

One use case is getting access to your data on your behalf, but on a different site while not giving away your identity from the first site. Another is the TCS eScience Personal Portal (aka Confusa) that will use OAuth to authenticate a command line client tool to a web-based service that issues short-lived certificate. Then they will extend it further using OAuth for web-based delegation of proxy-certificates; collaborating with a Norwegian University.  Some other use cases that people in my neighbourhood has been playing with so far

• Attribute query protocol
• Certificate enrollment in confusa using OAuth

• Virtual Organizations, OAuth and trust models
• Twitter authentication model

While I have been programming with Python I have found the following intricacies with the OAuth 2-legged approach, in regards to using web based APIs (all the examples are in Python & refer to the Vimeo API).

Note I don’t believe this is well documented, and have at times found the following confusing:

1. When using Web based APIs, one does not need to be concerned about the concept of ‘tokens’ if you are using a 2-legged OAuth approach (even though alot of sites proclaim that one should always be requesting for tokens, and even the python OAuth APIs that exist in github.com don’t really indicate that one does not need tokens). This basically means you do not need a token if you are doing a HTTP ‘GET’ request (depending which web based API you are using).
2. When using 2-legged OAuth (or 3-legged for that matter), you must indicate all the parameters that are going to be sent using the HTTP ‘GET’ request (equally this should apply for ‘POST’ requests as well) before you generate a ’signature method’.
3. As of OAuth Standard 1.0a I believe there is a slightly broken nature in how OAuth is used and believe it is actually a flaw in the OAuth protocol, which I discovered by accident. When using a 2-legged approach (refer to example below), this method will ‘intermittently’ work, when I first tested this (using the vimeo API), it actually worked for the 1st iteration, but failed consecutively for 3 iterations before working again and then intermittently after that:

I originally thought it was a bug on the web API provider’s end, but it turned out to be a bug on how I perform the OAuth signing request. Basically, the bug was that I was signing the request before setting/applying the web API methods/parameter values I wanted (which obviously changed the hash of the signing request method). However, I believe that because it does not require a token, you can ‘brute force’ it to intermittently work if you call it enough times (possibly because the hash code for the request signature matches once in a while).

However, with a bit of help from using the php example provided by vimeo for their OAuth API, I figured out that one had to encode the parameters before signing the request:

consumer = oauth.OAuthConsumer(VIMEO_API_KEY, VIMEO_API_SEC)

oauth_request = oauth.OAuthRequest.from_consumer_and_token(consumer, http_url=VIMEO_API_URL)

oauth_request.set_parameter(‘format’, ‘json’)

oauth_request.set_parameter(‘method’, ‘vimeo.videos.getByTag’)

oauth_request.set_parameter(‘tag’, tagname)

oauth_request.sign_request(oauth.OAuthSignatureMethod_HMAC_SHA1() , consumer, None)

http_request = ‘http://vimeo.com/api/v2?’ + str(oauth_request.to_postdata())

Note: you could manually identify each OAuth required parameter without using the method: ‘from_consumer_and_token()’ but I found it easier to use it to save some code space (though I think the name is somewhat counterintuitive) as a non-token http url needs to be specified and is used for 2-legged OAuth.

Looking over my earlier post about backup strategies made me wonder how I could simplify my own process further. The basics of local backups of web services, backing up my local drive to another local drive, syncing critical files, and backing up my local drive to the cloud aren’t as simple as they need to be for most people. I try hard to eliminate the complexity but the truth is that backing up so many 3rd party services is the biggest chore.

It seems that the cloud storage/backup services could collectively agree to support some sort of standardized authentication protocol to allow web applications (Google Calendar, Delicious, etc.) to automatically backup your data to your cloud backup service – without first having to make local backups.

I can imagine a preference screen in Google Docs that lets me select my backup vendor and uses an oAuth-style authentication scheme to make the process quick and painless. Set it once, and forget about it until you need to recover data. Backup only works when it’s invisible to the user.

It wasn’t long ago that your “community” referred to the neighbors
within a certain radius or the colleagues with whom you worked.
Connecting with these folks to raise support for an issue or
neighborhood block party often posed a challenge. If you were trying
to raise interest for an issue or invite people to an event, outreach
might involve phone calls or canvassing the area and distributing
flyers. Once you got the word out you would have to sit and wait to
see if the people you’d reached out to had the same interests and
concerns you had. Ultimately, you never knew if your neighbors truly
shared anything in common with you — beyond a zip code.

Back then, “community” would happen at the Community Center – the hub
of activity inside a regional area where both adults and children
would gather to connect, visit, play games and even share photos. All
sorts of activities were taking place here and people made the trip to
connect to enjoy life together.

But, in this age of the real-time Web, it’s become easier than ever to
find or build a community with like-minded people who, most often, do
not live within your zip code. As technology evolves, our degrees of
separation have gotten smaller. Social networking has helped us push
past the geographical boundaries, and has helped us to engage based on
common interests. It’s now easier than ever to become an activist and
rally support for something we feel passionate about. And businesses
can create awareness, solve problems, and generate great customer
experiences with the click of a mouse.

But building relationships online is still not that easy. It requires
clear channels of communication and common interests. At Cliqset,
we’re working hard to foster community regardless of zip code and make
it simple for you to develop your own network, and interact with
others, just as if you were meeting them at the local coffee shop or
community center.

Inside Cliqset, once you discover something that interests you, it’s
very easy to start a conversation around it just as if you were
meeting up with that person in real life. We’ve made it easier for you
to share your life online by allowing you to share more than your
status updates or interesting links – you can engage more deeply and
share what you are doing on other networks and talk about that in
real-time on Cliqset.

At Cliqset, we encourage you to start real-time, dynamic conversations
about the things that interest you most, and watch as others join in.
We want you to share and discuss your lives, thoughts,
accomplishments, reviews, pictures….you name it. Looking to solve a
problem? Seek out experts and engage them in discussion in an intimate
forum. In essence, we all are content producers and we want feedback
and to build discussions around our content. Our community opens up an
entirely new universe of people and activities for you to discover,
share and even discuss in real-time.

What are you waiting for? Come join us as we build the new online
“zipcode.” Our weekly conversations are a great way to start
and see what’s possible with creating community in real-time. We hope
to see you next week!

During the week of October 13, 2009, a very rewarding informal meeting of digital law library developers, administrators, and researchers took place at Cornell University’s Legal Information Institute. The gathering was graciously hosted by Dr. Tom Bruce. The purpose of the meeting was to discuss a number of issues respecting free access to law, legal information institutes, and digital law libraries. Photos of the meeting are available here and here. Among the participants were:

• Professor Daniel Poulin, Director of CANLII & LexUM Laboratory;
• Marc-André Morissette, Chief Analyst at LexUM Laboratory;
• Pierre-Paul Lemyre, Head of Products and Business Development at LexUM Laboratory and a Ph.D. student at University of Montreal Faculté de Droit, studying the effects on legal systems of free access to law & legal information institutes;
• Daniel Shane, Software Developer at LexUM Laboratory;
• Elmer Masters, Director of Internet Development at CALI;
• John Joergensen, Reference & Circulation Librarian at the Rutgers University Camden Law Library, and developer of the Rutgers University Camden Law Library Digital Collections;
• Stuart Sierra, Assistant Director of the Program on Law & Technology at Columbia Law School and developer of AltLaw: The Free Legal Search Engine; and
• Sara Frug, Brian Hughes, Daniel Nagy, & David Shetland of Cornell’s Legal Information Institute.

On October 14-15, the following topics were discussed:

• Professor Poulin, Marc-André Morissette, Pierre-Paul Lemyre, & Daniel Shane discussed information acquisitions, text-processing methods, the treatment of images in court decisions, and administrative matters, respecting CANLII;
• Dr. Bruce, Daniel Nagy, & Sara Frug of Cornell’s LII, & Elmer Masters of CALI discussed their use of Drupal to present a variety of types of content, their text processing methods, and the costs and benefits of cloud computing;
• Dr. Bruce, Daniel Nagy, Elmer Masters, and Tim Stanley & Nicolas Moline of Justia discussed using OpenID & OAuth to enable streamlined authentication & access to online legal resources;
• Dr. Bruce, Professor Poulin, and others discussed various methods of legal metadata standardization, including encouraging courts, legislatures, and administrative agencies to adopt publishing standards, and the development and promotion of OAI4Courts as a means of standardizing metadata for court documents, to enable sharing and aggregation of such metadata in open repositories;
• Stuart Sierra described his methods for automated acquisition of US Federal Court decisions, as well as his text processing and data management techniques at AltLaw;
• John Joergensen described his methods for automated acquisition of court decisions, text processing, procedures for digitizing print and microfiche legal documents, and digital preservation techniques, at the Rutgers University Camden Law Library’s digital collections.

On October 16, the following topics were discussed:

• Prof. Poulin discussed the former challenges of adding secondary sources to CANLII, the new possibilities of adding commentary and user generated content to CANLII, and his desire that CANLII be a generative system, in Professor Jonathan Zittrain’s sense of that term in The Future of the Internet and How to Stop It;
• Dr. Bruce, Prof. Poulin, Elmer Masters, and all the participants discussed their plans for sustaining innovation in the coming years at LII, CANLII, & CALI, and for developing business models and strategies;
• Dr. Bruce emphasized the need to develop standards to enable sharing of metadata and legal information objects among digital repositories, and to educate reporters of decisions about the need to enable information sharing in legal digital publishing;
• The LexUM team discussed two different approaches to taxonomies that they have tested respecting CANLII;
• Pierre-Paul Lemyre demonstrated several LexUM Web 2.0 projects, including Le Code civil du Quebéc annoté, which allows users to add annotations, and the CANLEX set of APIs for CANLII, including the RefLex API, which hotlinks legal citations in a user’s document. Prof. Poulin & Pierre-Paul also discussed Lexacto, a search engine enabling practitioners to index and retrieve content on particular legal topics, whether that content is located within or outside their firm. Some of this new technology will be tested at the Supreme Court of Canada;
• Marc-André Morissette demonstrated a drop-down table of contents-based document management system for legislative materials, called LexView, with the Canadian Criminal Code as a prototype. He said that similar technology would be applied to the Nova Scotia Annotated Civil Procedure Rules and continuing legal education materials for British Columbia;
• Dr. Bruce, Elmer Masters, John Joergensen, and the Cornell LII team discussed implementation of OpenID, the possible sharing of taxonomies, and possible collaboration respecting data for updating the U.S. Code;
• In a wrap-up discussion, each participant identified the most valuable information they acquired during the meeting. John Joergensen initiated a new discussion about the need for the legal information institutes to consider new issues in light of the institutes’ maturation and acceptance as key actors in the legal information infrastructure, and underscored digital preservation as one such issue. Dr. Bruce & Prof. Poulin reflected on their careers leading legal information institutes and how their personal roles had changed as their organizations had grown and matured.
• The participants agreed to meet again next autumn, either in Ithaca or in Montreal. Everyone thanked Dr. Bruce and the Cornell LII team for their gracious hospitality.

Many thanks to Dr. Bruce & his team for their gracious hospitality and stimulating discussion.

In the development of Piculet, my new hobbie project, i’ve had to implement the oAuth Authorization process. The Twitter App documentation gives you a rough sketch of how to do this, and the services spec points you off to the official oAuth Specification.

Let’s just say it’s a bit confusing. After surfing the web i’ve found some example code and a class with oAuth utility methods which i used in the implementation see external links at the end.

I advise you read and examine the code mentioned in the article here. The small  application the author provides will give you some insight on how it all works and how you can achieve the oAuth calls. Unfortunally this isn’t explained in the article itself hence this post.

Authorization process

The authorization process, according to twitter is :

The application uses oauth/request_token to obtain a request token from twitter.com.

The application directs the user to oauth/authorize on twitter.com.

After obtaining approval from the user, a prompt on twitter.com will display a 7 digit PIN.

The user is instructed to copy this PIN and return to the appliction.

The application will prompt the user to enter the PIN from step 4.

The application uses the PIN as the value for the oauth_verifier parameter in a call to

oauth/access_token which will verify the PIN and exchange a request_token for an access_token.

Twitter will return an access_token for the application to generate subsequent OAuth signatures.

Seems simple enough.

Signing oAuth Requests

When you register your application with twitter it gives you a consumer key that identifies your application and a consumer secret which will be used to generate your oAuth signature. This is where i bungled up, at first i thought the consumer key would be the signature to use, lets just say i should’ve read the oAuth Spec first.

Let’s take the request token call as an example. In order to obtain the request token for your application you will need to generate the following :

1. Signature
2. Nonce
3. Timestamp

The oAuthBase class mentioned above will help you with this. All you need to do is provide it with your consumer key and secret, the url your calling in this case that would be : http://twitter.com/oauth/requet_token and the queryString – in this case this is empty
All you need to do is call the method  GenerateSignature to generate your signature and prepare your url.
The following code generates the url to call request_token :

    OAuth.OAuthBase oAuth = new OAuth.OAuthBase();
    string queryString="";
    string tstamp=oAuth.GenerateTimeStamp();
    string sig = oAuth.GenerateSignature(new Uri(http://twitter.com/oauth/requet_token),
                                     consumerKey, consumerSecret,,null, null,"GET",tstamp ,nonce,
                                     out url, out queryString);
    queryString += "&oauth_signature=" + HttpUtility.UrlEncode(sig);
    return url+"?"+queryString;

Now all you need to do is call that url and get your request_token.

All calls from here on end can be signed in the same manner. Only difference is that after the authorization procedure you get an access token, which you will need to provide  the GenerateSignature method in order to sign your urls.

Sidenote on Using oAuthBase

I ran into a problem when trying to use the oAuthBase class with mono and monodevelop.

Problem came from the compiler not finding the HttpUtility anywhere. This is a class that is inside the System.Web namespace. I solved this by adding System.Web to the project references.

External Links

• Coding the Wheel – http://www.codingthewheel.com/archives/codingthetweet
• Twitter API – http://apiwiki.twitter.com/Authentication
• oAuth Spec - http://oauth.net/core/1.0
• Beginner’s Guide to OAuth- http://www.hueniverse.com/hueniverse/2007/10/beginners-guide.html
• oAuthBase Class - http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs

This is a refactored version of my post, Quick and Dirty Oauth for Twitter4J OAuth for Web Apps

This is also the result of my work on a a problem I had with getting a unauthorized request tokens using GData.

Basically I found that

1. Whatever you do (regardless if you’re using Servlets or Spring MVC), never maintain state in a servlet or a Spring MVC controller because GData and Twitter4J client libraries maintain state.

2. It’s impossible to wire them in Spring because they maintain state.

I think the best way to use Spring for OAuth is by using a MultiActionController with two methods:

authorization()
to print the authorization url

callback()
where the provider will go after the user has authorized it to allow the consumer to access the user’s account in the provider

Here’s what it looks like:

public class OAuthAuthorizeController extends MultiActionController {
public ModelAndView authorize(HttpServletRequest request,
			HttpServletResponse response){

       //authorization code here

}

public ModelAndView callback(HttpServletRequest request,
			HttpServletResponse response){
       //callback code here

}
}

With OAuth client libraries there is less need for url rewriting and doing manual get requests.

But the best way to implement the libraries in your code is to program them to an interface, encapsulating what varies because each client library is used differently.

public interface Provider {
public String getAuthUrl() throws OAuthProviderException;
public UserOAuthAccessToken getAccessToken(String token,String tokenSecret)
}

The rationale behind this is that the Spring controller we have shouldn’t have to know what provider he is dealing with. This makes code loosely coupled.

So if you want your controller to deal with GData or Twitter using the Twitter4J and GData libraries, implement the Provider interface and code in the implementation:

public class GoogleDocs/Twitter4JClient implements Provider {
     public String getAuthUrl(){
        //GData or Twitter4J specific code here
     }
    public UserOAuthAccessToken getAccessToken(){
       //GData or Twitter4J specific code here
    }
}

GData specific code can be found here
Twitter4J well here. Haha.

Use an abstract factory method to return the specific implementation to the controllers:

private Provider getProvider(String providerRequested){
	Provider provider = null;
	if (providerRequested is googledocs){
		provider = new GoogleDocs();
	}
        if (providerRequested is Twitter) {
               provider = new Twitter4JClient();
        }
	return provider;
}

This is what the Spring MVC controller will look like when it’s done:

public class OAuthAuthorizeController extends MultiActionController {
public ModelAndView authorize(HttpServletRequest request,
			HttpServletResponse response){

         Provider provider = getProvider("Twitter"/"GoogleDocs");
         String authUrl = provider.getAuthUrl();
         return new ModelAndView("view","authUrl",authUrl);

}

public ModelAndView callback(HttpServletRequest request,
			HttpServletResponse response){
       Provider provider = getProvider("GoogleDocs"/"Twitter");
       UserOAuthAccessToken accessToken = provider.getOAuthAccessToken();
       //some other logic you have to do
}
private Provider getProvider(String providerRequested){
	Provider provider = null;
	if (providerRequested is googledocs){
		provider = new GoogleDocs();
	}
        if (providerRequested is Twitter) {
               provider = new Twitter4JClient();
        }
	return provider;
}
}

Last Friday Dan and I worked on accessing a user’s Google Docs via OAuth. We were able to make it work except that I found out that our solution doesn’t scale!

Our observations are

1. Two or more users getting an unauthorized request token returns an invalid token to one of the users.

2. Two or more users getting an unauthorized request token in succession returns an invalid token to the last person who requests. The latter can try again after a certain time after the last person has finished accessing his/her google docs.

We followed are the tutorials for accessing Gdata using Oauth at the Gdata website and used the Gdata Java libraries.

I think the problems are

1. that the helper classes that come in with the libraries are instantiated only once for the whole app (a singleton). Meaning any client who visits the app and uses the same instance to connect to google via oauth uses the same instance every time.

2. the helper classes are maintaining state, hence the invalid token received by another user while someone is still “using” our app to access his/her google docs. This is the same problem that I have with using Twitter4j, you can’t wire them as a singleton because they’re maintaining state.

If that’s the case, then I should probably remove this line of code in our controllers:

public class GoogleOauthController extends MultiActionController {
	...
	private GoogleOAuthParameters oAuthParameters;
	private GoogleOAuthHelper oAuthHelper;
        ...

and refactor this by instantiating one instance of GoogleOAuthParameters and GoogleOAuthHelper per invokation of any of the methods in the controllers that make use of them. I’ll be able to do this using the abstract factory method or an abstract factory class which I’ve just finished reading about this week! That came at just the right time, thank God for my book Head First Design patterns.

But which refactoring to do?

I think the abstract factory method is more appropriate although it shouldn’t be called abstract because I don’t expect any controller to extend the controller I am going to build for Oauth. I’ll call my solution the oauth-factory-method.

But on the other hand, I might need the same functionality of the oauth-factory-method so that oauth controllers that have provider specific logic can use the oauth-factory-method to get the helper classes that they need and more importantly that are otherwise needed in a lot of other controllers.

Today we’re excited to announce the launch of Cliqset API v3, bringing some new and innovative features to our developer community.

• Activity Streams Support - Cliqset is now publishing activity information from the ~70 services we’ve integrated within in JSON, XML and Activity Streams formatted Atom XML. Activity Streams is a standardized way to describe and communicate activity related information between services with the goal of increased consistency and efficiency.
• Streaming capabilities – Activity and conversation information are now available to be delivered the moment we become aware of it using our new real-time streaming APIs.
• New ways to share – We’ve simplified our sharing APIs and added new types. Share photos, status updates, link and reviews with a simple form POST.
• Account Creation – Concerned about your users not having a Cliqset account when they try to use your app? No problem, applications can now register new users using our Account Creation API. We’ve integrated a CAPTCHA into the process so it’s secure and should prevent automated abuse (fingers crossed).

Those are some of the highlights so check out the docs and give us feedback. We’re always looking for ways to improve our service and build a better development community.

It’s a big day for Cliqset and the social web! Today, we opened up the new beta of our online community to a limited group of people to get feedback.

As the nature of conversations on the Web has been dramatically changing to mirror those in real life – centered around topics, location and audience – Cliqset is now all about your conversations, however they unfold.

So, what’s new in Cliqset beta 3? Frankly, a lot. Over the last few months, we’ve completely redesigned our website and have created a real-time community that makes it’s easier for users to stay engaged and follow the discussions that they find most interesting.

In our private beta, real-time conversations and activity streams are a focal point in the latest release. Users now have options for communicating and sharing online activities (like photos, location aware updates, bookmarks) with their friends and online communities, while also being able to track and update all of the third-party social services you’re on from one centralized hub.

Here’s what’s now possible on Cliqset:

• Quickly engage and discuss. Discussions and commenting are now all in real-time – unique from most social networks and services currently on the web – giving users a better way way to communicate and stay engaged in the discussion as it unfolds.

• You can easily pull in your content from almost 70 social networks and services. We now support Cliqset integrations with the most popular third-party services so you can easily pull your content into Cliqset (photos, status updates, videos, blog posts, etc.) from other social networks.

• We now have easier ways to share your content with other social networks and services, including Twitter, Facebook, Myspace, Identi.ca, Linkedin and FriendFeed. Users can update their status, and share photos, bookmarks, reviews on Cliqset and push them out to wherever they choose.

• And you can now share content that you discover on Cliqset with other social services you’ve enabled.

• Easily discover content and people by staying on top of specific topics with Cliqset’s granular activity stream filters. Users can select which types of updates they’d like to see in their activity stream including text, photo, comment, or blog post.

• Updates that include photo files or location details now show a thumbnail so that users can easily see the content without having to explore further and with filtering capabilities, find others who are discussing the same topics and activities.

• Greater control over how people can see and interact with information that you share.

Come join Cliqset. To be a part of our private beta, sign up and start connecting and conversing in real-time