[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Diva Canto diva at metaverseink.com
Sat Apr 25 20:47:22 UTC 2009 

That sounds reasonable. I should find out more about what the Web 2.0 
crowd is thinking for the "service catalogue", haven't heard that before 
coming from them. Because that's exactly where I have been taking OpenSim :)

Point 4 is also pretty much covered, with code already in place in 
OpenSim, used by Grider. The client requests these tokens from the User 
Server (ID server, whatever you want to call it), sends them to each 
server it wants to use, including regions, the servers in turn verify 
them with the User Server.

So far, I haven't felt the need for OpenID whatsoever. Login can be 
performed directly with the User Server, it doesn't need to be 
redirected from anywhere. (I have a problem with those redirections, 
they are utterly unsafe; if they can be avoided, they should. And I 
think they can.)


Christian Scholz wrote:
> Diva Canto schrieb:
>> Let's focus on the goal, before discussing techniques: "I would like 
>> to use my google identity in OpenSim as soon as possible :)"
>>
>> Once you've been ID'ed, where would your user services be?
> 
> For instance by using a service catalogue which is bound to your OpenID 
> and lists where
> 
> - your profile is (could be implemented using PortableContacts/OpenSocial)
> - your inventory is (maybe multiple of them)
> - your preferred IM service is (could be Jabber or IRC or something else)
> - your contacts are stored (again could be OpenSocial)
> 
> and so on.
> 
> This could all be put into an XRDS file which is used by OpenID in the 
> discovery step already.
> 
> So a workflow might roughly look like this:
> 
> 1. A user enters two things: An OpenID and the region URL to connect to
> 2. The client performs an OpenID authentication and retrieves the 
> Service Catalogue associated with it.
> 3. The client connects to the region and passes the Service Catalogue 
> over (after all the region needs profile data and so on)
> 4. The client retrieves access tokens for those services which it has 
> been allowed to pass to regions it connects to.
> 5. The client send the necessary access tokens to the region
> 6. The region retrieves the necessary information (e.g. profile data and 
> avatar info) and connects the client to the simulation
> 
> The big question is 4. and how this is being handled. But as said in an 
> earlier reply, this is exactly what many people are thinking about right 
> now.
> 
> Another question might also be what the client's responsibility is and 
> what the region's. Of course it could all also be routed through the 
> client but in general I would assume that simulation related things are 
> faster if handled by the region. At least it needs to be allowed to 
> cache those as long as the user is active.
> 
> But that's more loud thinking here. I might come back with some proposal 
> which has got some more thinking :-)
> 
> -- Christian
> 
> 
> 
>>
>>
>> Tommi Laukkanen wrote:
>>> Hello
>>>
>>> OAuth seems to provide OpenSimulator server side authentication and
>>> authorisation needs. If you are interested in this area please read
>>> this page and especially the "What is it for"-chapter:
>>>
>>> http://oauth.net/about/
>>>
>>> "Is OAuth a New Concept?"-chapter is a good read as well.
>>>
>>> Essentially it looks like a way to pass capabilities to servers. For
>>> example you might give opensim region limited access to your
>>> inventory.
>>>
>>> More details can be found from their community wiki:
>>>
>>> http://wiki.oauth.net/
>>>
>>> Does anyone know other specifications for service level authentication
>>> and authorisation (as opposed to browser and user level authentication
>>> like OpenID and SAML)?
>>>
>>> As you can see from the wiki front page for example google offers
>>> standard oauth api. I would like to use my google identity in OpenSim
>>> as soon as possible :). Someone might want to use AOL, Flickr, Amazon,
>>> yahoo or facebook which are already supported. The big difference is
>>> here that you need not pass your secrect password to opensim server or
>>> go to openid login page at the provider. Idealistviewer could handle
>>> authentication with google and pass the capability tokens to region
>>> when connecting to it.
>>>
>>> If you want to help Metaverse be realised in shortest possible time
>>> please study OAuth and alternative approaches if such exist. I believe
>>> this area needs some OpenSim community focus to get it properly sorted
>>> for next technology leap. I hear a new version of CableBeach is coming
>>> out and it would be great to have standards compliant solution in
>>> capabilities area. By standards compliant I mean a solution which can
>>> hook to major identity provider players as of now. The claim of this
>>> post is that it is already possible with OAuth specification which has
>>> been written by experts of the area.
>>>
>>> If all those major players are supporting OAuth I think it is a strong
>>> signal that the technology is good and mature. My understanding is
>>> that it is very well compliant with OpenSim needs as well.
>>>
>>> -tommi
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
> 
>

More information about the Opensim-dev mailing list