[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Diva Canto diva at metaverseink.com
Sat Apr 25 21:15:00 UTC 2009 

Christian Scholz wrote:
> We have been talking about it quite a bit in early 2008 in the 
> DataPortability Group. There was also some discussion about that concept 
> in the DiSo group.
> 
> [...]

Cool.

>> Point 4 is also pretty much covered, with code already in place in 
>> OpenSim, used by Grider. The client requests these tokens from the 
>> User Server (ID server, whatever you want to call it), sends them to 
>> each server it wants to use, including regions, the servers in turn 
>> verify them with the User Server.
> 
> But I assume that this won't work with services outside the OpenSim 
> realm? (e.g. MySpace)

I haven't been thinking of those uses, but I don't see any reason why it 
shouldn't work in exactly the same way. You need: (a) an ID server; (b) 
a client for the user; (c) a bunch of services that the user uses.
Upon login, a master key is given to the client. That master key is then 
used by the client to request tokens from the ID server for each service 
that the user wants to use. Those tokens are sent along the first time 
the client accesses the services, and the services verify the tokens 
with the given authority in them.

If you want to see how this key request/verification process currently 
works in OpenSim, take a look at 
OpenSim/Framework/Communications/UserManagerBase -- at the very end of 
that file.

Those keys are sent along authenticated requests, like for example
OpenSim/Framework/Communications/Services/HGInventoryService
This particular service then establishes a bunch of CAP URLS for secure 
access to inventory.

Service discovery is another matter, I think. For starters, we can 
assume that the user explicitly specifies the URLs of the services it 
uses -- so that service catalogue you mentioned -- in his/her ID server.


> The reason I like OpenID and OAuth is that it will allow in the future 
> to manage a limited set of identities properly. There is no need to 
> create yet another account with profiles etc. on each service. This is 
> also very much where the discussions in the social networking space are 
> heading right now and it would be great if I can reuse the same things 
> in OpenSim, too.

You don't need OpenID redirects to do this. You login directly with your 
ID service.

More information about the Opensim-dev mailing list