[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Christian Scholz cs at comlounge.net
Sat Apr 25 20:37:06 UTC 2009 

Diva Canto schrieb:
> Let's focus on the goal, before discussing techniques: "I would like to 
> use my google identity in OpenSim as soon as possible :)"
> 
> Once you've been ID'ed, where would your user services be?

For instance by using a service catalogue which is bound to your OpenID 
and lists where

- your profile is (could be implemented using PortableContacts/OpenSocial)
- your inventory is (maybe multiple of them)
- your preferred IM service is (could be Jabber or IRC or something else)
- your contacts are stored (again could be OpenSocial)

and so on.

This could all be put into an XRDS file which is used by OpenID in the 
discovery step already.

So a workflow might roughly look like this:

1. A user enters two things: An OpenID and the region URL to connect to
2. The client performs an OpenID authentication and retrieves the 
Service Catalogue associated with it.
3. The client connects to the region and passes the Service Catalogue 
over (after all the region needs profile data and so on)
4. The client retrieves access tokens for those services which it has 
been allowed to pass to regions it connects to.
5. The client send the necessary access tokens to the region
6. The region retrieves the necessary information (e.g. profile data and 
avatar info) and connects the client to the simulation

The big question is 4. and how this is being handled. But as said in an 
earlier reply, this is exactly what many people are thinking about right 
now.

Another question might also be what the client's responsibility is and 
what the region's. Of course it could all also be routed through the 
client but in general I would assume that simulation related things are 
faster if handled by the region. At least it needs to be allowed to 
cache those as long as the user is active.

But that's more loud thinking here. I might come back with some proposal 
which has got some more thinking :-)

-- Christian



> 
> 
> Tommi Laukkanen wrote:
>> Hello
>>
>> OAuth seems to provide OpenSimulator server side authentication and
>> authorisation needs. If you are interested in this area please read
>> this page and especially the "What is it for"-chapter:
>>
>> http://oauth.net/about/
>>
>> "Is OAuth a New Concept?"-chapter is a good read as well.
>>
>> Essentially it looks like a way to pass capabilities to servers. For
>> example you might give opensim region limited access to your
>> inventory.
>>
>> More details can be found from their community wiki:
>>
>> http://wiki.oauth.net/
>>
>> Does anyone know other specifications for service level authentication
>> and authorisation (as opposed to browser and user level authentication
>> like OpenID and SAML)?
>>
>> As you can see from the wiki front page for example google offers
>> standard oauth api. I would like to use my google identity in OpenSim
>> as soon as possible :). Someone might want to use AOL, Flickr, Amazon,
>> yahoo or facebook which are already supported. The big difference is
>> here that you need not pass your secrect password to opensim server or
>> go to openid login page at the provider. Idealistviewer could handle
>> authentication with google and pass the capability tokens to region
>> when connecting to it.
>>
>> If you want to help Metaverse be realised in shortest possible time
>> please study OAuth and alternative approaches if such exist. I believe
>> this area needs some OpenSim community focus to get it properly sorted
>> for next technology leap. I hear a new version of CableBeach is coming
>> out and it would be great to have standards compliant solution in
>> capabilities area. By standards compliant I mean a solution which can
>> hook to major identity provider players as of now. The claim of this
>> post is that it is already possible with OAuth specification which has
>> been written by experts of the area.
>>
>> If all those major players are supporting OAuth I think it is a strong
>> signal that the technology is good and mature. My understanding is
>> that it is very well compliant with OpenSim needs as well.
>>
>> -tommi
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev


-- 
COM.lounge GmbH
http://comlounge.net
Hanbrucher Strasse 33, 52064 Aachen
Amtsgericht Aachen HRB 15170
Geschäftsführer: Dr. Ben Scheffler, Christian Scholz

email: info at comlounge.net
fon: +49-241-4007300
fax: +49-241-97900850

personal email: cs at comlounge.net
personal blog: http://mrtopf.de/blog
personal podcasts: http://openweb-podcast.de, http://datawithoutborders.net

More information about the Opensim-dev mailing list