[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Sat Apr 25 13:49:00 UTC 2009

On Sat, Apr 25, 2009 at 6:21 AM, Tommi Laukkanen
<tommi.s.e.laukkanen at gmail.com> wrote:
> Hello
>
> OAuth seems to provide OpenSimulator server side authentication and
> authorisation needs. If you are interested in this area please read
> this page and especially the "What is it for"-chapter:

Oauth is not an authentication system, it is delegated credentials
system via a third party.

>
> http://oauth.net/about/
>
> "Is OAuth a New Concept?"-chapter is a good read as well.
>
> Essentially it looks like a way to pass capabilities to servers. For
> example you might give opensim region limited access to your
> inventory.
>
> More details can be found from their community wiki:
>
> http://wiki.oauth.net/
>
> Does anyone know other specifications for service level authentication
> and authorisation (as opposed to browser and user level authentication
> like OpenID and SAML)?

FOAF+SSL (aka Secure Web ID), is a much newer 3.0 techonology which
has less complex interactions (no third party authentication or
passwords required, it is a client server).  In a nutshell it uses the
well established SSL protocol for authentication, and FOAF to makup a
public key in your profile.

The wiki is a bit geeky at present, as it's still beta, but
progressing: http://esw.w3.org/topic/foaf+ssl

This solution should also be complementary to OpenID and OAuth, and
seems likely to be backed by the w3c, so I'd recommend taking a look,
if you can get your head around the concepts, I think it could server
OpenSim needs quite well, and is extremely extensible.

A slighly more user facing view demo could be seen here: http://foaf.me/login/

>
> As you can see from the wiki front page for example google offers
> standard oauth api. I would like to use my google identity in OpenSim
> as soon as possible :). Someone might want to use AOL, Flickr, Amazon,
> yahoo or facebook which are already supported. The big difference is
> here that you need not pass your secrect password to opensim server or
> go to openid login page at the provider. Idealistviewer could handle
> authentication with google and pass the capability tokens to region
> when connecting to it.

I think you may be confusing OAuth and OpenID, OpenID is a login
system.  Though the issue is that OpenID is driven off an URL and
Google is driven off an email address, so they are working on bridging
the gap.

>
> If you want to help Metaverse be realised in shortest possible time
> please study OAuth and alternative approaches if such exist. I believe
> this area needs some OpenSim community focus to get it properly sorted
> for next technology leap. I hear a new version of CableBeach is coming
> out and it would be great to have standards compliant solution in
> capabilities area. By standards compliant I mean a solution which can
> hook to major identity provider players as of now. The claim of this
> post is that it is already possible with OAuth specification which has
> been written by experts of the area.
>
> If all those major players are supporting OAuth I think it is a strong
> signal that the technology is good and mature. My understanding is
> that it is very well compliant with OpenSim needs as well.
>
> -tommi
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>