[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Christian Scholz cs at comlounge.net
Sat Apr 25 20:57:35 UTC 2009 

Diva Canto schrieb:
> That sounds reasonable. I should find out more about what the Web 2.0 
> crowd is thinking for the "service catalogue", haven't heard that before 
> coming from them. Because that's exactly where I have been taking OpenSim :)

We have been talking about it quite a bit in early 2008 in the 
DataPortability Group. There was also some discussion about that concept 
in the DiSo group.

But more general it's of course simply service discovery. You have some 
resource and you want to know which APIs it might support. So basically 
it's the same as the OpenID libs to when they try to find out e.g. what 
OpenID versions that OpenID supports. That's what YADIS does in the 
OpenID spec and it uses the XRDS format for it.

Eran is now busy working on a simpler solution for that and what he came 
up with is LRDD for obtaining the link to some service description file 
and XRD for the format for that file:

http://www.hueniverse.com/hueniverse/discovery/

I myself am working on an example with an extended XRDS file which lets 
you use your profile stored on MySpace inside another social network or 
OpenSim. I hope to get this finished soon (MySpace provides 
PortableContacts/OpenSocial for retrieving the profile).

> Point 4 is also pretty much covered, with code already in place in 
> OpenSim, used by Grider. The client requests these tokens from the User 
> Server (ID server, whatever you want to call it), sends them to each 
> server it wants to use, including regions, the servers in turn verify 
> them with the User Server.

But I assume that this won't work with services outside the OpenSim 
realm? (e.g. MySpace)

> So far, I haven't felt the need for OpenID whatsoever. Login can be 
> performed directly with the User Server, it doesn't need to be 
> redirected from anywhere. (I have a problem with those redirections, 
> they are utterly unsafe; if they can be avoided, they should. And I 
> think they can.)

The reason I like OpenID and OAuth is that it will allow in the future 
to manage a limited set of identities properly. There is no need to 
create yet another account with profiles etc. on each service. This is 
also very much where the discussions in the social networking space are 
heading right now and it would be great if I can reuse the same things 
in OpenSim, too.

-- Christian



> 
> 
> Christian Scholz wrote:
>> Diva Canto schrieb:
>>> Let's focus on the goal, before discussing techniques: "I would like 
>>> to use my google identity in OpenSim as soon as possible :)"
>>>
>>> Once you've been ID'ed, where would your user services be?
>> For instance by using a service catalogue which is bound to your OpenID 
>> and lists where
>>
>> - your profile is (could be implemented using PortableContacts/OpenSocial)
>> - your inventory is (maybe multiple of them)
>> - your preferred IM service is (could be Jabber or IRC or something else)
>> - your contacts are stored (again could be OpenSocial)
>>
>> and so on.
>>
>> This could all be put into an XRDS file which is used by OpenID in the 
>> discovery step already.
>>
>> So a workflow might roughly look like this:
>>
>> 1. A user enters two things: An OpenID and the region URL to connect to
>> 2. The client performs an OpenID authentication and retrieves the 
>> Service Catalogue associated with it.
>> 3. The client connects to the region and passes the Service Catalogue 
>> over (after all the region needs profile data and so on)
>> 4. The client retrieves access tokens for those services which it has 
>> been allowed to pass to regions it connects to.
>> 5. The client send the necessary access tokens to the region
>> 6. The region retrieves the necessary information (e.g. profile data and 
>> avatar info) and connects the client to the simulation
>>
>> The big question is 4. and how this is being handled. But as said in an 
>> earlier reply, this is exactly what many people are thinking about right 
>> now.
>>
>> Another question might also be what the client's responsibility is and 
>> what the region's. Of course it could all also be routed through the 
>> client but in general I would assume that simulation related things are 
>> faster if handled by the region. At least it needs to be allowed to 
>> cache those as long as the user is active.
>>
>> But that's more loud thinking here. I might come back with some proposal 
>> which has got some more thinking :-)
>>
>> -- Christian
>>
>>
>>
>>>
>>> Tommi Laukkanen wrote:
>>>> Hello
>>>>
>>>> OAuth seems to provide OpenSimulator server side authentication and
>>>> authorisation needs. If you are interested in this area please read
>>>> this page and especially the "What is it for"-chapter:
>>>>
>>>> http://oauth.net/about/
>>>>
>>>> "Is OAuth a New Concept?"-chapter is a good read as well.
>>>>
>>>> Essentially it looks like a way to pass capabilities to servers. For
>>>> example you might give opensim region limited access to your
>>>> inventory.
>>>>
>>>> More details can be found from their community wiki:
>>>>
>>>> http://wiki.oauth.net/
>>>>
>>>> Does anyone know other specifications for service level authentication
>>>> and authorisation (as opposed to browser and user level authentication
>>>> like OpenID and SAML)?
>>>>
>>>> As you can see from the wiki front page for example google offers
>>>> standard oauth api. I would like to use my google identity in OpenSim
>>>> as soon as possible :). Someone might want to use AOL, Flickr, Amazon,
>>>> yahoo or facebook which are already supported. The big difference is
>>>> here that you need not pass your secrect password to opensim server or
>>>> go to openid login page at the provider. Idealistviewer could handle
>>>> authentication with google and pass the capability tokens to region
>>>> when connecting to it.
>>>>
>>>> If you want to help Metaverse be realised in shortest possible time
>>>> please study OAuth and alternative approaches if such exist. I believe
>>>> this area needs some OpenSim community focus to get it properly sorted
>>>> for next technology leap. I hear a new version of CableBeach is coming
>>>> out and it would be great to have standards compliant solution in
>>>> capabilities area. By standards compliant I mean a solution which can
>>>> hook to major identity provider players as of now. The claim of this
>>>> post is that it is already possible with OAuth specification which has
>>>> been written by experts of the area.
>>>>
>>>> If all those major players are supporting OAuth I think it is a strong
>>>> signal that the technology is good and mature. My understanding is
>>>> that it is very well compliant with OpenSim needs as well.
>>>>
>>>> -tommi
>>>> _______________________________________________
>>>> Opensim-dev mailing list
>>>> Opensim-dev at lists.berlios.de
>>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>>
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev


-- 
COM.lounge GmbH
http://comlounge.net
Hanbrucher Strasse 33, 52064 Aachen
Amtsgericht Aachen HRB 15170
Geschäftsführer: Dr. Ben Scheffler, Christian Scholz

email: info at comlounge.net
fon: +49-241-4007300
fax: +49-241-97900850

personal email: cs at comlounge.net
personal blog: http://mrtopf.de/blog
personal podcasts: http://openweb-podcast.de, http://datawithoutborders.net

More information about the Opensim-dev mailing list