[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Christian Scholz cs at comlounge.net
Sat Apr 25 21:15:41 UTC 2009 

I forgot something to add.


Diva Canto schrieb:
> So far, I haven't felt the need for OpenID whatsoever. Login can be 
> performed directly with the User Server, it doesn't need to be 
> redirected from anywhere. (I have a problem with those redirections, 
> they are utterly unsafe; if they can be avoided, they should. And I 
> think they can.)

Actually the redirection part in the OAuth spec is only one way to 
obtain access tokens and is very much tailored towards a web browser 
situation. One can nevertheless invent different ways of obtaining them 
but still use the signing method of OAuth.

-- Christian


> 
> 
> Christian Scholz wrote:
>> Diva Canto schrieb:
>>> Let's focus on the goal, before discussing techniques: "I would like 
>>> to use my google identity in OpenSim as soon as possible :)"
>>>
>>> Once you've been ID'ed, where would your user services be?
>> For instance by using a service catalogue which is bound to your OpenID 
>> and lists where
>>
>> - your profile is (could be implemented using PortableContacts/OpenSocial)
>> - your inventory is (maybe multiple of them)
>> - your preferred IM service is (could be Jabber or IRC or something else)
>> - your contacts are stored (again could be OpenSocial)
>>
>> and so on.
>>
>> This could all be put into an XRDS file which is used by OpenID in the 
>> discovery step already.
>>
>> So a workflow might roughly look like this:
>>
>> 1. A user enters two things: An OpenID and the region URL to connect to
>> 2. The client performs an OpenID authentication and retrieves the 
>> Service Catalogue associated with it.
>> 3. The client connects to the region and passes the Service Catalogue 
>> over (after all the region needs profile data and so on)
>> 4. The client retrieves access tokens for those services which it has 
>> been allowed to pass to regions it connects to.
>> 5. The client send the necessary access tokens to the region
>> 6. The region retrieves the necessary information (e.g. profile data and 
>> avatar info) and connects the client to the simulation
>>
>> The big question is 4. and how this is being handled. But as said in an 
>> earlier reply, this is exactly what many people are thinking about right 
>> now.
>>
>> Another question might also be what the client's responsibility is and 
>> what the region's. Of course it could all also be routed through the 
>> client but in general I would assume that simulation related things are 
>> faster if handled by the region. At least it needs to be allowed to 
>> cache those as long as the user is active.
>>
>> But that's more loud thinking here. I might come back with some proposal 
>> which has got some more thinking :-)
>>
>> -- Christian
>>
>>
>>
>>>
>>> Tommi Laukkanen wrote:
>>>> Hello
>>>>
>>>> OAuth seems to provide OpenSimulator server side authentication and
>>>> authorisation needs. If you are interested in this area please read
>>>> this page and especially the "What is it for"-chapter:
>>>>
>>>> http://oauth.net/about/
>>>>
>>>> "Is OAuth a New Concept?"-chapter is a good read as well.
>>>>
>>>> Essentially it looks like a way to pass capabilities to servers. For
>>>> example you might give opensim region limited access to your
>>>> inventory.
>>>>
>>>> More details can be found from their community wiki:
>>>>
>>>> http://wiki.oauth.net/
>>>>
>>>> Does anyone know other specifications for service level authentication
>>>> and authorisation (as opposed to browser and user level authentication
>>>> like OpenID and SAML)?
>>>>
>>>> As you can see from the wiki front page for example google offers
>>>> standard oauth api. I would like to use my google identity in OpenSim
>>>> as soon as possible :). Someone might want to use AOL, Flickr, Amazon,
>>>> yahoo or facebook which are already supported. The big difference is
>>>> here that you need not pass your secrect password to opensim server or
>>>> go to openid login page at the provider. Idealistviewer could handle
>>>> authentication with google and pass the capability tokens to region
>>>> when connecting to it.
>>>>
>>>> If you want to help Metaverse be realised in shortest possible time
>>>> please study OAuth and alternative approaches if such exist. I believe
>>>> this area needs some OpenSim community focus to get it properly sorted
>>>> for next technology leap. I hear a new version of CableBeach is coming
>>>> out and it would be great to have standards compliant solution in
>>>> capabilities area. By standards compliant I mean a solution which can
>>>> hook to major identity provider players as of now. The claim of this
>>>> post is that it is already possible with OAuth specification which has
>>>> been written by experts of the area.
>>>>
>>>> If all those major players are supporting OAuth I think it is a strong
>>>> signal that the technology is good and mature. My understanding is
>>>> that it is very well compliant with OpenSim needs as well.
>>>>
>>>> -tommi
>>>> _______________________________________________
>>>> Opensim-dev mailing list
>>>> Opensim-dev at lists.berlios.de
>>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>>
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev


-- 
COM.lounge GmbH
http://comlounge.net
Hanbrucher Strasse 33, 52064 Aachen
Amtsgericht Aachen HRB 15170
Geschäftsführer: Dr. Ben Scheffler, Christian Scholz

email: info at comlounge.net
fon: +49-241-4007300
fax: +49-241-97900850

personal email: cs at comlounge.net
personal blog: http://mrtopf.de/blog
personal podcasts: http://openweb-podcast.de, http://datawithoutborders.net

More information about the Opensim-dev mailing list