[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Melvin Carvalho melvincarvalho at gmail.com
Sat Apr 25 18:10:08 UTC 2009 

On Sat, Apr 25, 2009 at 5:09 PM, Tommi Laukkanen
<tommi.s.e.laukkanen at gmail.com> wrote:
> Hello
>
>>
>> Oauth is not an authentication system, it is delegated credentials
>> system via a third party.
>>
>
> Authentication and authorisation with delegated credentials is what we
> need as identities will be provided by identity providers and assets
> from asset providers in distributed model. We need the client to be
> able to authenticate against indentity provider acquire tokens and
> provide them to region for authentication on region level, access to
> profile information and assets etc. It is not good idea to pass
> credentials to the region server directly.

It's a good tech, and the community has done a lot of work getting the
open model recognised.

You'd be looking at at least two specs, openid and oauth to start
with, then there's a few others such as sreg and attributute exchange,
maybe pape, so there is some complexity there.

Also bear in mind that this was designed with standard pattern is
username/login from the 3rd party interface, so you'd have to server
up, for example a google login form (or every other kind of login
form) when singing in, or perhaps when teleporting, which might not be
the ideal user experience.

>
>> FOAF+SSL (aka Secure Web ID), is a much newer 3.0 techonology which
>> has less complex interactions (no third party authentication or
>> passwords required, it is a client server).  In a nutshell it uses the
>> well established SSL protocol for authentication, and FOAF to makup a
>> public key in your profile.
>
> You can use OAuth for 2 legged authentication but your suggestion
> sounds interesting as well. One would like to be able to use existing
> networks hosting user identities but time will rectify that for any
> new technologies as they gain popularity.

Do take a look if you get a chance, it's a good system, and SSL PKI is
mature and tried and tested, it is used to log in to secure email,
VPN, ssh and many other systems.  You just need to store a public key
with the users assets and you're well on your way.  Im happy to help
if it's needed, I'll try and follow the discussions here :)

>
> -tommi
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>

More information about the Opensim-dev mailing list