[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Sat Apr 25 20:25:37 UTC 2009

Charles Krinke schrieb:
> That is an interesting point. I think the perception by some is that we 
> would like to have 'seamless' use of openid/oauth between various grids 
> as folks might move from grid to grid using OGP, MXP, HG or other 
> interop notions. So, popping up a password dialog in the midst of a 
> teleport might be 'off putting'.
> 
> I had heard there was a use case where that was not the case, but admit 
> that I am not all that familiar with the inner workings of openid/oauth. 
> If we need to have a password dialog in interop teleports, well, that 
> may be a small price to pay.

Right now some people in the OAuth community are discussing ways to 
share an access token between parties which might remove the problem 
with logins popping up. There is e.g. the ProtectServe proposal by Sun.
(but it's all very much in discussion but I assume that some progress 
will be made during the next Internet Identity Workshop in May, 
http://iiw.idcommons.net/Main_Page)

Then it might be up to the user whether she wants to be asked every time 
when she teleports from sim to sim (or maybe from grid to grid) or never 
and some basic access to her data is made available automatically.

But with whatever technology, you always need some way to be able to 
define who has how much access to what data. This might be solved by a 
minimum set which is always allowed access to (maybe with some 
blacklist) or by having to define it on the fly.

Here are some links to discussions around reusing access tokens or 
having some sort of relationship manager handling them:

http://groups.google.com/group/oauth/browse_thread/thread/dbf129a7647a332c#
http://groups.google.com/group/oauth/browse_thread/thread/bdf8b99e84a8aaef?pli=1
http://www.hueniverse.com/hueniverse/2009/03/taking-oauth-beyond-the-3rd-leg.html
http://www.hueniverse.com/hueniverse/2009/03/more-thoughts-on-oauth-access-sharing.html

And here is some discussion about using OAuth also as authentication 
protocol (an example would be the new "login with your twitter account" 
functionality):

http://www.hueniverse.com/hueniverse/2009/04/twitter-connect.html
http://groups.google.com/group/oauth/browse_thread/thread/01f8cc2ab0c5afe3#

-- Christian

> 
> Charles
> 
> ------------------------------------------------------------------------
> *From:* Melvin Carvalho <melvincarvalho at gmail.com>
> *To:* opensim-dev at lists.berlios.de
> *Sent:* Saturday, April 25, 2009 11:10:08 AM
> *Subject:* Re: [Opensim-dev] OAuth as authentication and authorisation 
> (capability) specification
> 
> On Sat, Apr 25, 2009 at 5:09 PM, Tommi Laukkanen
> <tommi.s.e.laukkanen at gmail.com <mailto:tommi.s.e.laukkanen at gmail.com>> 
> wrote:
>  > Hello
>  >
>  >>
>  >> Oauth is not an authentication system, it is delegated credentials
>  >> system via a third party.
>  >>
>  >
>  > Authentication and authorisation with delegated credentials is what we
>  > need as identities will be provided by identity providers and assets
>  > from asset providers in distributed model. We need the client to be
>  > able to authenticate against indentity provider acquire tokens and
>  > provide them to region for authentication on region level, access to
>  > profile information and assets etc. It is not good idea to pass
>  > credentials to the region server directly.
> 
> It's a good tech, and the community has done a lot of work getting the
> open model recognised.
> 
> You'd be looking at at least two specs, openid and oauth to start
> with, then there's a few others such as sreg and attributute exchange,
> maybe pape, so there is some complexity there.
> 
> Also bear in mind that this was designed with standard pattern is
> username/login from the 3rd party interface, so you'd have to server
> up, for example a google login form (or every other kind of login
> form) when singing in, or perhaps when teleporting, which might not be
> the ideal user experience.
> 
>  >
>  >> FOAF+SSL (aka Secure Web ID), is a much newer 3.0 techonology which
>  >> has less complex interactions (no third party authentication or
>  >> passwords required, it is a client server).  In a nutshell it uses the
>  >> well established SSL protocol for authentication, and FOAF to makup a
>  >> public key in your profile.
>  >
>  > You can use OAuth for 2 legged authentication but your suggestion
>  > sounds interesting as well. One would like to be able to use existing
>  > networks hosting user identities but time will rectify that for any
>  > new technologies as they gain popularity.
> 
> Do take a look if you get a chance, it's a good system, and SSL PKI is
> mature and tried and tested, it is used to log in to secure email,
> VPN, ssh and many other systems.  You just need to store a public key
> with the users assets and you're well on your way.  Im happy to help
> if it's needed, I'll try and follow the discussions here :)
> 
>  >
>  > -tommi
>  > _______________________________________________
>  > Opensim-dev mailing list
>  > Opensim-dev at lists.berlios.de <mailto:Opensim-dev at lists.berlios.de>
>  > https://lists.berlios.de/mailman/listinfo/opensim-dev
>  >
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de <mailto:Opensim-dev at lists.berlios.de>
> https://lists.berlios.de/mailman/listinfo/opensim-dev
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev

-- 
COM.lounge GmbH
http://comlounge.net
Hanbrucher Strasse 33, 52064 Aachen
Amtsgericht Aachen HRB 15170
Geschäftsführer: Dr. Ben Scheffler, Christian Scholz

email: info at comlounge.net
fon: +49-241-4007300
fax: +49-241-97900850

personal email: cs at comlounge.net
personal blog: http://mrtopf.de/blog
personal podcasts: http://openweb-podcast.de, http://datawithoutborders.net