Gmail Contextual Gadgets and OpenID Authentication steps

I'm trying to understand the correct sequence of steps followed开发者_JS百科 by Gmail when loading and authenticating a contextual gadget. One of the reasons (there are others) is that I want to know whether I can make the gadget manifest behind a Open ID authentication so that only authenticated users will be able to pull the gadget in to Gmail.

I haven't seen any documentation on this anywhere. Here's how I think it works... (where mysite.com is an openID relying party).

User: clicks on a mail in Gmail inbox Gmail: Load email. Retrieve gadget manifest from mysite.com/gadgets/gadget.xml MySite: You need to be authenticated to access gadgets/gadget.xml Gmail: Here's the user's OpenID MySite: Here's gadgets/gadget.xml Gmail: "paints" the gadget contents on the context area of the email

Please correct me if this is wrong

Well, I think the answer to my question is here: http://code.google.com/googleapps/marketplace/best_practices.html#gadget_sso

According to this, there's no implicit OpenID authentication. It's your responsibility to make it happen by using osapi.http.get.

I believe this is how it works:

1. Admin installs your app at that point you can use SSO to get the admin's OpenID
2. if you want to use 2-legged OAuth to get say all of the user's on the domain you can do that too (although I have not gotten that to work yet)
3. When a user in that domain loads your gadget you can use: osapi.http.get which will append the open_social_id to the request to your server.
4. now you have the opensocialid you can check if you have a user in your system with that open_social_id, if not then you can do through the same OpenId auth process you did in step 1 for the admin, but this time you relate the Open Social Id with the OpenId you receive in the auth process
5. now anytime that user loads your gadget you can look up their open social id and determine that they have already been authorized.