// that both need to be accounted for here. For signed fetch, we need to remember what identity
// information we passed along (owner only? viewer only? both?). For OAuth, we need to
// remember whose OAuth token we used. We only use the OAuth token when owner == viewer, and
// it's possible we won't do it even then.
private HttpCacheKey makeCacheKey() {
HttpCacheKey key = new HttpCacheKey(realRequest);
SecurityToken st = realRequest.getSecurityToken();
key.set("authentication", "oauth");
if (realRequest.getOAuthArguments().getSignOwner()) {
key.set("owner", st.getOwnerId());
}
if (realRequest.getOAuthArguments().getSignViewer()) {
key.set("viewer", st.getViewerId());
}
if (st.getOwnerId() != null
&& st.getOwnerId().equals(st.getViewerId())
&& realRequest.getOAuthArguments().mayUseToken()) {
key.set("tokenOwner", st.getOwnerId());
}
key.set("gadget", st.getAppUrl());
key.set("instance", Long.toString(st.getModuleId()));
key.set("service", realRequest.getOAuthArguments().getServiceName());
key.set("token", realRequest.getOAuthArguments().getTokenName());
return key;
}